Edit tour

Windows Analysis Report
Doc171836.js

Overview

General Information

Sample name:	Doc171836.js
Analysis ID:	1619295
MD5:	da7ed43b68df0e3a40b48e1fbb8b539b
SHA1:	c53936f0811fe54dd3f57e525c1dd31f04bf249d
SHA256:	eb164525c66c559aec32c119a9e2fa54444caefcd32b944a12c459e80fd568c4
Tags:	jsTA578user-k3dg3___
Infos:

Detection

BruteRatel, Latrodectus

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Suricata IDS alerts for network traffic

System process connects to network (likely due to code injection or exploit)

Yara detected BruteRatel

Yara detected Latrodectus

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Contains functionality to inject threads in other processes

Creates a thread in another existing process (thread injection)

Found direct / indirect Syscall (likely to bypass EDR)

Injects a PE file into a foreign processes

Injects code into the Windows Explorer (explorer.exe)

Modifies the context of a thread in another process (thread injection)

Sample uses string decryption to hide its real strings

Sets debug register (to hijack the execution of another thread)

Sigma detected: WScript or CScript Dropper

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Writes to foreign memory regions

Binary contains a suspicious time stamp

Checks for available system drives (often done to infect USB drives)

Contains functionality for read data from the clipboard

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to dynamically determine API calls

Contains functionality to query locales information (e.g. system language)

Contains functionality to query network adapater information

Contains functionality to retrieve information about pressed keystrokes

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a DirectInput object (often for capturing keystrokes)

Creates files inside the system directory

Deletes files inside the Windows folder

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Extensive use of GetProcAddress (often used to hide API calls)

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Installs a raw input device (often for capturing keystrokes)

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

Java / VBScript file with very long strings (likely obfuscated code)

JavaScript source code contains large arrays or strings with random content potentially encoding malicious code

Launches processes in debugging mode, may be used to hinder debugging

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

Potential key logger detected (key state polling based)

Queries the volume information (name, serial number etc) of a device

Sigma detected: Msiexec Initiated Connection

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Suricata IDS alerts with low severity for network traffic

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected AdvancedInstaller

Yara detected Keylogger Generic

Yara signature match

Classification

Process Tree

System is w10x64

wscript.exe (PID: 6544 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Doc171836.js" MD5: A47CBE969EA935BDD3AB568BB126BC80)

msiexec.exe (PID: 5424 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)

msiexec.exe (PID: 940 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 7439225C7269580DA474D5762FBBF668 MD5: 9D09DC1EDA745A5F87553048E57620CF)

NVIDIA Notification.exe (PID: 5804 cmdline: "C:\Users\user\AppData\Roaming\nvidia\NVIDIA Notification.exe" MD5: 07459A0B5F524AD62B5B5401133D4D55)

explorer.exe (PID: 1028 cmdline: C:\Windows\Explorer.EXE MD5: 662F4F92FDE3557E86D110526BB578D5)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Brute Ratel C4, BruteRatel	Brute Ratel C4 (BRC4) is a commercial framework for red-teaming and adversarial attack simulation, which made its first appearance in December 2020. It was specifically designed to evade detection by endpoint detection and response (EDR) and antivirus (AV) capabilities. BRC4 allows operators to deploy a backdoor agent known as Badger (aka BOLDBADGER) within a target environment.This agent enables arbitrary command execution, facilitating lateral movement, privilege escalation, and the establishment of additional persistence avenues. The Badger backdoor agent can communicate with a remote server via DNS over HTTPS, HTTP, HTTPS, SMB, and TCP, using custom encrypted channels. It supports a variety of backdoor commands including shell command execution, file transfers, file execution, and credential harvesting. Additionally, the Badger agent can perform tasks such as port scanning, screenshot capturing, and keystroke logging. Notably, in September 2022, a cracked version of Brute Ratel C4 was leaked in the cybercriminal underground, leading to its use by threat actors.	No Attribution	https://0xdarkvortex.dev/hiding-in-plainsight/ https://0xdarkvortex.dev/proxying-dll-loads-for-hiding-etwti-stack-tracing/ https://andreafortuna.org/2023/02/23/how-to-detect-brute-ratel-activities https://blog.eclecticiq.com/inside-intelligence-center-lunar-spider-enabling-ransomware-attacks-on-financial-sector-with-brute-ratel-c4-and-latrodectus https://blog.krakz.fr/articles/latrodectus/	https://malpedia.caad.fkie.fraunhofer.de/details/win.brute_ratel_c4

Name	Description	Attribution	Blogpost URLs	Link
Latrodectus, Latrodectus	First discovered in October 2023, BLACKWIDOW is a backdoor written in C that communicates over HTTP using RC4 encrypted requests. The malware has the capability to execute discovery commands, query information about the victim's machine, update itself, as well as download and execute an EXE, DLL, or shellcode. The malware is believed to have been developed by LUNAR SPIDER, the creators of IcedID (aka BokBot) Malware.	No Attribution	https://0x0d4y.blog/case-study-analyzing-and-implementing-string-decryption-algorithms-latrodectus/ https://0x0d4y.blog/latrodectus-technical-analysis-of-the-new-icedid/ https://any.run/malware-trends/latrodectus https://blog.eclecticiq.com/inside-intelligence-center-lunar-spider-enabling-ransomware-attacks-on-financial-sector-with-brute-ratel-c4-and-latrodectus https://blog.krakz.fr/articles/latrodectus/	https://malpedia.caad.fkie.fraunhofer.de/details/win.latrodectus

Malware Configuration

Threatname: Latrodectus

{"C2 url": ["https://tynifinilam.com/test/", "https://horetimodual.com/test/"], "Group Name": "Lotus", "Campaign ID": 3938989244}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_AdvancedInstaller	Yara detected AdvancedInstaller	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000004.00000003.2307209705.00007FF42A290000.00000004.00001000.00020000.00000000.sdmp	latrodectus_exports	detection based on the exports	Sekoia.io
00000006.00000000.2290915982.0000000008380000.00000040.00000001.00020000.00000000.sdmp	latrodectus_exports	detection based on the exports	Sekoia.io
00000006.00000002.3370167751.0000000008380000.00000040.00000001.00020000.00000000.sdmp	latrodectus_exports	detection based on the exports	Sekoia.io
00000004.00000003.2284961805.000002AD19604000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_BruteRatel_1	Yara detected BruteRatel	Joe Security
00000004.00000002.3367947981.000002AD19798000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_BruteRatel_1	Yara detected BruteRatel	Joe Security
00000006.00000002.3386556969.000000000F10C000.00000004.00000010.00020000.00000000.sdmp	JoeSecurity_Latrodectus	Yara detected Latrodectus	Joe Security
00000004.00000002.3367444627.000002AD195D5000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_BruteRatel_1	Yara detected BruteRatel	Joe Security
00000004.00000003.2159080582.000002AD18E90000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: NVIDIA Notification.exe PID: 5804	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: NVIDIA Notification.exe PID: 5804	JoeSecurity_BruteRatel_1	Yara detected BruteRatel	Joe Security
Process Memory Space: explorer.exe PID: 1028	JoeSecurity_Latrodectus	Yara detected Latrodectus	Joe Security
decrypted.memstr	JoeSecurity_Latrodectus	Yara detected Latrodectus	Joe Security
Click to see the 7 entries

Unpacked PEs

Source	Rule	Description	Author
6.0.explorer.exe.8380000.0.raw.unpack	latrodectus_exports	detection based on the exports	Sekoia.io
4.3.NVIDIA Notification.exe.7ff42a290000.50.raw.unpack	latrodectus_exports	detection based on the exports	Sekoia.io
6.0.explorer.exe.8380000.0.unpack	latrodectus_exports	detection based on the exports	Sekoia.io
6.2.explorer.exe.8380000.0.unpack	latrodectus_exports	detection based on the exports	Sekoia.io
4.3.NVIDIA Notification.exe.7ff42a290000.50.unpack	latrodectus_exports	detection based on the exports	Sekoia.io
6.2.explorer.exe.8380000.0.raw.unpack	latrodectus_exports	detection based on the exports	Sekoia.io
4.3.NVIDIA Notification.exe.2ad18e90000.3.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Click to see the 2 entries

Sigma Signatures

System Summary

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Doc171836.js", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Doc171836.js", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Doc171836.js", ProcessId: 6544, ProcessName: wscript.exe

Sigma detected: Msiexec Initiated Connection

Source: Network Connection

Author: frack113: Data: DestinationIp: 104.21.23.216, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\System32\msiexec.exe, Initiated: true, ProcessId: 5424, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 49704

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Doc171836.js", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Doc171836.js", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Doc171836.js", ProcessId: 6544, ProcessName: wscript.exe

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-19T19:03:52.493236+0100	2028371	3	Unknown Traffic	192.168.2.5	49981	188.114.96.3	443	TCP
2025-02-19T19:03:53.419103+0100	2028371	3	Unknown Traffic	192.168.2.5	49982	104.21.95.192	443	TCP
2025-02-19T19:03:54.327453+0100	2028371	3	Unknown Traffic	192.168.2.5	49983	188.114.96.3	443	TCP
2025-02-19T19:03:55.252002+0100	2028371	3	Unknown Traffic	192.168.2.5	49984	104.21.95.192	443	TCP
2025-02-19T19:03:56.068495+0100	2028371	3	Unknown Traffic	192.168.2.5	49985	188.114.96.3	443	TCP
2025-02-19T19:03:56.960596+0100	2028371	3	Unknown Traffic	192.168.2.5	49986	104.21.95.192	443	TCP
2025-02-19T19:03:57.791204+0100	2028371	3	Unknown Traffic	192.168.2.5	49987	188.114.96.3	443	TCP
2025-02-19T19:03:58.668083+0100	2028371	3	Unknown Traffic	192.168.2.5	49988	104.21.95.192	443	TCP
2025-02-19T19:03:59.502018+0100	2028371	3	Unknown Traffic	192.168.2.5	49989	188.114.96.3	443	TCP
2025-02-19T19:04:00.364295+0100	2028371	3	Unknown Traffic	192.168.2.5	49990	104.21.95.192	443	TCP
2025-02-19T19:04:01.184527+0100	2028371	3	Unknown Traffic	192.168.2.5	49991	188.114.96.3	443	TCP
2025-02-19T19:04:02.052617+0100	2028371	3	Unknown Traffic	192.168.2.5	49992	104.21.95.192	443	TCP
2025-02-19T19:04:02.872207+0100	2028371	3	Unknown Traffic	192.168.2.5	49993	188.114.96.3	443	TCP
2025-02-19T19:04:03.794310+0100	2028371	3	Unknown Traffic	192.168.2.5	49994	104.21.95.192	443	TCP
2025-02-19T19:04:04.651493+0100	2028371	3	Unknown Traffic	192.168.2.5	49995	188.114.96.3	443	TCP
2025-02-19T19:04:05.517821+0100	2028371	3	Unknown Traffic	192.168.2.5	49996	104.21.95.192	443	TCP
2025-02-19T19:04:06.409919+0100	2028371	3	Unknown Traffic	192.168.2.5	49997	188.114.96.3	443	TCP
2025-02-19T19:04:07.307770+0100	2028371	3	Unknown Traffic	192.168.2.5	49998	104.21.95.192	443	TCP
2025-02-19T19:04:08.138368+0100	2028371	3	Unknown Traffic	192.168.2.5	49999	188.114.96.3	443	TCP
2025-02-19T19:04:09.028548+0100	2028371	3	Unknown Traffic	192.168.2.5	50000	104.21.95.192	443	TCP
2025-02-19T19:04:09.880346+0100	2028371	3	Unknown Traffic	192.168.2.5	50001	188.114.96.3	443	TCP
2025-02-19T19:04:10.772537+0100	2028371	3	Unknown Traffic	192.168.2.5	50002	104.21.95.192	443	TCP
2025-02-19T19:04:11.612284+0100	2028371	3	Unknown Traffic	192.168.2.5	50004	188.114.96.3	443	TCP
2025-02-19T19:04:12.491561+0100	2028371	3	Unknown Traffic	192.168.2.5	50005	104.21.95.192	443	TCP
2025-02-19T19:04:13.436289+0100	2028371	3	Unknown Traffic	192.168.2.5	50006	188.114.96.3	443	TCP
2025-02-19T19:04:14.448027+0100	2028371	3	Unknown Traffic	192.168.2.5	50007	104.21.95.192	443	TCP
2025-02-19T19:04:15.219620+0100	2028371	3	Unknown Traffic	192.168.2.5	50008	188.114.96.3	443	TCP
2025-02-19T19:04:16.200165+0100	2028371	3	Unknown Traffic	192.168.2.5	50009	104.21.95.192	443	TCP
2025-02-19T19:04:17.065840+0100	2028371	3	Unknown Traffic	192.168.2.5	50010	188.114.96.3	443	TCP
2025-02-19T19:04:17.937978+0100	2028371	3	Unknown Traffic	192.168.2.5	50011	104.21.95.192	443	TCP

ET MALWARE Latrodectus Loader Related Activity (POST)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-19T19:03:52.528636+0100	2048735	1	A Network Trojan was detected	192.168.2.5	49981	188.114.96.3	443	TCP
2025-02-19T19:03:53.424208+0100	2048735	1	A Network Trojan was detected	192.168.2.5	49982	104.21.95.192	443	TCP
2025-02-19T19:03:54.336801+0100	2048735	1	A Network Trojan was detected	192.168.2.5	49983	188.114.96.3	443	TCP
2025-02-19T19:03:55.254584+0100	2048735	1	A Network Trojan was detected	192.168.2.5	49984	104.21.95.192	443	TCP
2025-02-19T19:03:56.070143+0100	2048735	1	A Network Trojan was detected	192.168.2.5	49985	188.114.96.3	443	TCP
2025-02-19T19:03:56.970043+0100	2048735	1	A Network Trojan was detected	192.168.2.5	49986	104.21.95.192	443	TCP
2025-02-19T19:03:57.793149+0100	2048735	1	A Network Trojan was detected	192.168.2.5	49987	188.114.96.3	443	TCP
2025-02-19T19:03:58.669724+0100	2048735	1	A Network Trojan was detected	192.168.2.5	49988	104.21.95.192	443	TCP
2025-02-19T19:03:59.504451+0100	2048735	1	A Network Trojan was detected	192.168.2.5	49989	188.114.96.3	443	TCP
2025-02-19T19:04:00.365783+0100	2048735	1	A Network Trojan was detected	192.168.2.5	49990	104.21.95.192	443	TCP
2025-02-19T19:04:01.187242+0100	2048735	1	A Network Trojan was detected	192.168.2.5	49991	188.114.96.3	443	TCP
2025-02-19T19:04:02.054753+0100	2048735	1	A Network Trojan was detected	192.168.2.5	49992	104.21.95.192	443	TCP
2025-02-19T19:04:02.874548+0100	2048735	1	A Network Trojan was detected	192.168.2.5	49993	188.114.96.3	443	TCP
2025-02-19T19:04:03.796101+0100	2048735	1	A Network Trojan was detected	192.168.2.5	49994	104.21.95.192	443	TCP
2025-02-19T19:04:04.661433+0100	2048735	1	A Network Trojan was detected	192.168.2.5	49995	188.114.96.3	443	TCP
2025-02-19T19:04:05.519818+0100	2048735	1	A Network Trojan was detected	192.168.2.5	49996	104.21.95.192	443	TCP
2025-02-19T19:04:06.411950+0100	2048735	1	A Network Trojan was detected	192.168.2.5	49997	188.114.96.3	443	TCP
2025-02-19T19:04:07.320387+0100	2048735	1	A Network Trojan was detected	192.168.2.5	49998	104.21.95.192	443	TCP
2025-02-19T19:04:08.142496+0100	2048735	1	A Network Trojan was detected	192.168.2.5	49999	188.114.96.3	443	TCP
2025-02-19T19:04:09.029925+0100	2048735	1	A Network Trojan was detected	192.168.2.5	50000	104.21.95.192	443	TCP
2025-02-19T19:04:09.887559+0100	2048735	1	A Network Trojan was detected	192.168.2.5	50001	188.114.96.3	443	TCP
2025-02-19T19:04:10.774759+0100	2048735	1	A Network Trojan was detected	192.168.2.5	50002	104.21.95.192	443	TCP
2025-02-19T19:04:11.614220+0100	2048735	1	A Network Trojan was detected	192.168.2.5	50004	188.114.96.3	443	TCP
2025-02-19T19:04:12.636680+0100	2048735	1	A Network Trojan was detected	192.168.2.5	50005	104.21.95.192	443	TCP
2025-02-19T19:04:13.438029+0100	2048735	1	A Network Trojan was detected	192.168.2.5	50006	188.114.96.3	443	TCP
2025-02-19T19:04:14.449773+0100	2048735	1	A Network Trojan was detected	192.168.2.5	50007	104.21.95.192	443	TCP
2025-02-19T19:04:15.232036+0100	2048735	1	A Network Trojan was detected	192.168.2.5	50008	188.114.96.3	443	TCP
2025-02-19T19:04:16.229168+0100	2048735	1	A Network Trojan was detected	192.168.2.5	50009	104.21.95.192	443	TCP
2025-02-19T19:04:17.067695+0100	2048735	1	A Network Trojan was detected	192.168.2.5	50010	188.114.96.3	443	TCP
2025-02-19T19:04:17.940047+0100	2048735	1	A Network Trojan was detected	192.168.2.5	50011	104.21.95.192	443	TCP

ETPRO MALWARE MSIL/Zbrain PUP/Stealer Installer UA

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-19T19:02:16.020178+0100	2829202	1	A Network Trojan was detected	192.168.2.5	49707	104.21.23.216	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 6.0.explorer.exe.8380000.0.raw.unpack

Malware Configuration Extractor: Latrodectus {"C2 url": ["https://tynifinilam.com/test/", "https://horetimodual.com/test/"], "Group Name": "Lotus", "Campaign ID": 3938989244}

Sample uses string decryption to hide its real strings

Source: 6.0.explorer.exe.8380000.0.raw.unpack	String decryptor: /c ipconfig /all
Source: 6.0.explorer.exe.8380000.0.raw.unpack	String decryptor: /c systeminfo
Source: 6.0.explorer.exe.8380000.0.raw.unpack	String decryptor: C:\Windows\System32\cmd.exe
Source: 6.0.explorer.exe.8380000.0.raw.unpack	String decryptor: C:\Windows\System32\cmd.exe
Source: 6.0.explorer.exe.8380000.0.raw.unpack	String decryptor: /c nltest /domain_trusts
Source: 6.0.explorer.exe.8380000.0.raw.unpack	String decryptor: /c net view /all
Source: 6.0.explorer.exe.8380000.0.raw.unpack	String decryptor: C:\Windows\System32\cmd.exe
Source: 6.0.explorer.exe.8380000.0.raw.unpack	String decryptor: /c nltest /domain_trusts /all_trusts
Source: 6.0.explorer.exe.8380000.0.raw.unpack	String decryptor: C:\Windows\System32\cmd.exe
Source: 6.0.explorer.exe.8380000.0.raw.unpack	String decryptor: /c net view /all /domain
Source: 6.0.explorer.exe.8380000.0.raw.unpack	String decryptor: &ipconfig=
Source: 6.0.explorer.exe.8380000.0.raw.unpack	String decryptor: C:\Windows\System32\cmd.exe
Source: 6.0.explorer.exe.8380000.0.raw.unpack	String decryptor: C:\Windows\System32\cmd.exe
Source: 6.0.explorer.exe.8380000.0.raw.unpack	String decryptor: /c net group "Domain Admins" /domain
Source: 6.0.explorer.exe.8380000.0.raw.unpack	String decryptor: C:\Windows\System32\cmd.exe
Source: 6.0.explorer.exe.8380000.0.raw.unpack	String decryptor: /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get * /Format:List
Source: 6.0.explorer.exe.8380000.0.raw.unpack	String decryptor: C:\Windows\System32\wbem\wmic.exe
Source: 6.0.explorer.exe.8380000.0.raw.unpack	String decryptor: /c net config workstation
Source: 6.0.explorer.exe.8380000.0.raw.unpack	String decryptor: C:\Windows\System32\cmd.exe
Source: 6.0.explorer.exe.8380000.0.raw.unpack	String decryptor: /c wmic.exe /node:localhost /namespace:\\root\SecurityCenter2 path AntiVirusProduct Get DisplayName \| findstr /V /B /C:displayName \|\| echo No Antivirus installed
Source: 6.0.explorer.exe.8380000.0.raw.unpack	String decryptor: C:\Windows\System32\cmd.exe
Source: 6.0.explorer.exe.8380000.0.raw.unpack	String decryptor: /c whoami /groups
Source: 6.0.explorer.exe.8380000.0.raw.unpack	String decryptor: C:\Windows\System32\cmd.exe
Source: 6.0.explorer.exe.8380000.0.raw.unpack	String decryptor: &systeminfo=
Source: 6.0.explorer.exe.8380000.0.raw.unpack	String decryptor: &domain_trusts=
Source: 6.0.explorer.exe.8380000.0.raw.unpack	String decryptor: &domain_trusts_all=
Source: 6.0.explorer.exe.8380000.0.raw.unpack	String decryptor: &net_view_all_domain=
Source: 6.0.explorer.exe.8380000.0.raw.unpack	String decryptor: &net_view_all=
Source: 6.0.explorer.exe.8380000.0.raw.unpack	String decryptor: &net_group=
Source: 6.0.explorer.exe.8380000.0.raw.unpack	String decryptor: &wmic=
Source: 6.0.explorer.exe.8380000.0.raw.unpack	String decryptor: &net_config_ws=
Source: 6.0.explorer.exe.8380000.0.raw.unpack	String decryptor: &net_wmic_av=
Source: 6.0.explorer.exe.8380000.0.raw.unpack	String decryptor: &whoami_group=
Source: 6.0.explorer.exe.8380000.0.raw.unpack	String decryptor: "pid":
Source: 6.0.explorer.exe.8380000.0.raw.unpack	String decryptor: "%d",
Source: 6.0.explorer.exe.8380000.0.raw.unpack	String decryptor: "proc":
Source: 6.0.explorer.exe.8380000.0.raw.unpack	String decryptor: "%s",
Source: 6.0.explorer.exe.8380000.0.raw.unpack	String decryptor: "subproc": [
Source: 6.0.explorer.exe.8380000.0.raw.unpack	String decryptor: &proclist=[
Source: 6.0.explorer.exe.8380000.0.raw.unpack	String decryptor: "pid":
Source: 6.0.explorer.exe.8380000.0.raw.unpack	String decryptor: "%d",
Source: 6.0.explorer.exe.8380000.0.raw.unpack	String decryptor: "proc":
Source: 6.0.explorer.exe.8380000.0.raw.unpack	String decryptor: "%s",
Source: 6.0.explorer.exe.8380000.0.raw.unpack	String decryptor: "subproc": [
Source: 6.0.explorer.exe.8380000.0.raw.unpack	String decryptor: &desklinks=[
Source: 6.0.explorer.exe.8380000.0.raw.unpack	String decryptor: .
Source: 6.0.explorer.exe.8380000.0.raw.unpack	String decryptor: "%s"
Source: 6.0.explorer.exe.8380000.0.raw.unpack	String decryptor: Update_%x
Source: 6.0.explorer.exe.8380000.0.raw.unpack	String decryptor: Custom_update
Source: 6.0.explorer.exe.8380000.0.raw.unpack	String decryptor: .dll
Source: 6.0.explorer.exe.8380000.0.raw.unpack	String decryptor: .exe
Source: 6.0.explorer.exe.8380000.0.raw.unpack	String decryptor: Error
Source: 6.0.explorer.exe.8380000.0.raw.unpack	String decryptor: runnung
Source: 6.0.explorer.exe.8380000.0.raw.unpack	String decryptor: %s/%s
Source: 6.0.explorer.exe.8380000.0.raw.unpack	String decryptor: C:\Windows\System32\cmd.exe
Source: 6.0.explorer.exe.8380000.0.raw.unpack	String decryptor: front
Source: 6.0.explorer.exe.8380000.0.raw.unpack	String decryptor: /files/
Source: 6.0.explorer.exe.8380000.0.raw.unpack	String decryptor: Lotus
Source: 6.0.explorer.exe.8380000.0.raw.unpack	String decryptor: Content-Type: application/x-www-form-urlencoded
Source: 6.0.explorer.exe.8380000.0.raw.unpack	String decryptor: Cookie:
Source: 6.0.explorer.exe.8380000.0.raw.unpack	String decryptor: POST
Source: 6.0.explorer.exe.8380000.0.raw.unpack	String decryptor: GET
Source: 6.0.explorer.exe.8380000.0.raw.unpack	String decryptor: curl/7.88.1
Source: 6.0.explorer.exe.8380000.0.raw.unpack	String decryptor: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)
Source: 6.0.explorer.exe.8380000.0.raw.unpack	String decryptor: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)
Source: 6.0.explorer.exe.8380000.0.raw.unpack	String decryptor: CLEARURL
Source: 6.0.explorer.exe.8380000.0.raw.unpack	String decryptor: URLS
Source: 6.0.explorer.exe.8380000.0.raw.unpack	String decryptor: COMMAND
Source: 6.0.explorer.exe.8380000.0.raw.unpack	String decryptor: ERROR
Source: 6.0.explorer.exe.8380000.0.raw.unpack	String decryptor: PfuKfm6FWKILm6aBzHjfLsa3TbcSQ0bEvuuBSDX954aW9VNS4Y7b3kV3NeqZsB8n
Source: 6.0.explorer.exe.8380000.0.raw.unpack	String decryptor: counter=%d&type=%d&guid=%s&os=%d&arch=%d&username=%s&group=%lu&ver=%d.%d&up=%d&direction=%s
Source: 6.0.explorer.exe.8380000.0.raw.unpack	String decryptor: counter=%d&type=%d&guid=%s&os=%d&arch=%d&username=%s&group=%lu&ver=%d.%d&up=%d&direction=%s
Source: 6.0.explorer.exe.8380000.0.raw.unpack	String decryptor: counter=%d&type=%d&guid=%s&os=%d&arch=%d&username=%s&group=%lu&ver=%d.%d&up=%d&direction=%s
Source: 6.0.explorer.exe.8380000.0.raw.unpack	String decryptor: [{"data":"
Source: 6.0.explorer.exe.8380000.0.raw.unpack	String decryptor: "}]
Source: 6.0.explorer.exe.8380000.0.raw.unpack	String decryptor: &dpost=
Source: 6.0.explorer.exe.8380000.0.raw.unpack	String decryptor: https://tynifinilam.com/test/
Source: 6.0.explorer.exe.8380000.0.raw.unpack	String decryptor: https://horetimodual.com/test/
Source: 6.0.explorer.exe.8380000.0.raw.unpack	String decryptor: \*.dll
Source: 6.0.explorer.exe.8380000.0.raw.unpack	String decryptor: AppData
Source: 6.0.explorer.exe.8380000.0.raw.unpack	String decryptor: Desktop
Source: 6.0.explorer.exe.8380000.0.raw.unpack	String decryptor: Startup
Source: 6.0.explorer.exe.8380000.0.raw.unpack	String decryptor: Personal
Source: 6.0.explorer.exe.8380000.0.raw.unpack	String decryptor: Local AppData
Source: 6.0.explorer.exe.8380000.0.raw.unpack	String decryptor: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Source: 6.0.explorer.exe.8380000.0.raw.unpack	String decryptor: C:\WINDOWS\SYSTEM32\rundll32.exe %s,%s
Source: 6.0.explorer.exe.8380000.0.raw.unpack	String decryptor: <!DOCTYPE
Source: 6.0.explorer.exe.8380000.0.raw.unpack	String decryptor: %s%d.dll
Source: 6.0.explorer.exe.8380000.0.raw.unpack	String decryptor: C:\WINDOWS\SYSTEM32\rundll32.exe %s
Source: 6.0.explorer.exe.8380000.0.raw.unpack	String decryptor: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)
Source: 6.0.explorer.exe.8380000.0.raw.unpack	String decryptor: <html>
Source: 6.0.explorer.exe.8380000.0.raw.unpack	String decryptor: Content-Type: application/dns-message
Source: 6.0.explorer.exe.8380000.0.raw.unpack	String decryptor: Content-Type: application/ocsp-request
Source: 6.0.explorer.exe.8380000.0.raw.unpack	String decryptor: Content-Length: 0
Source: 6.0.explorer.exe.8380000.0.raw.unpack	String decryptor: 12345
Source: 6.0.explorer.exe.8380000.0.raw.unpack	String decryptor: 12345
Source: 6.0.explorer.exe.8380000.0.raw.unpack	String decryptor: &stiller=
Source: 6.0.explorer.exe.8380000.0.raw.unpack	String decryptor: %s%d.exe
Source: 6.0.explorer.exe.8380000.0.raw.unpack	String decryptor: %x%x
Source: 6.0.explorer.exe.8380000.0.raw.unpack	String decryptor: &mac=
Source: 6.0.explorer.exe.8380000.0.raw.unpack	String decryptor: %02x
Source: 6.0.explorer.exe.8380000.0.raw.unpack	String decryptor: :%02x
Source: 6.0.explorer.exe.8380000.0.raw.unpack	String decryptor: &computername=%s
Source: 6.0.explorer.exe.8380000.0.raw.unpack	String decryptor: &domain=%s
Source: 6.0.explorer.exe.8380000.0.raw.unpack	String decryptor: ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/
Source: 6.0.explorer.exe.8380000.0.raw.unpack	String decryptor: %04X%04X%04X%04X%08X%04X
Source: 6.0.explorer.exe.8380000.0.raw.unpack	String decryptor: %04X%04X%04X%04X%08X%04X
Source: 6.0.explorer.exe.8380000.0.raw.unpack	String decryptor: \Registry\Machine\
Source: 6.0.explorer.exe.8380000.0.raw.unpack	String decryptor: LogonTrigger
Source: 6.0.explorer.exe.8380000.0.raw.unpack	String decryptor: TimeTrigger
Source: 6.0.explorer.exe.8380000.0.raw.unpack	String decryptor: PT0H%02dM
Source: 6.0.explorer.exe.8380000.0.raw.unpack	String decryptor: %04d-%02d-%02dT%02d:%02d:%02d
Source: 6.0.explorer.exe.8380000.0.raw.unpack	String decryptor: PT0S
Source: 6.0.explorer.exe.8380000.0.raw.unpack	String decryptor: \update_data.dat

Source: unknown	HTTPS traffic detected: 104.21.23.216:443 -> 192.168.2.5:49704 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.23.216:443 -> 192.168.2.5:49707 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49981 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.95.192:443 -> 192.168.2.5:49982 version: TLS 1.2

Source:	Binary string: UxTheme.pdb source: NVIDIA Notification.exe, 00000004.00000003.2176267619.000002AD18C50000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: netutils.pdbUGP source: NVIDIA Notification.exe, 00000004.00000003.2185208618.000002AD17280000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: oleacc.pdbUGP source: NVIDIA Notification.exe, 00000004.00000003.2186161817.000002AD18BB0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\u\workspace\03_27\cefwinauto\build\Release\x86_64\src\NVIDIA Notification.pdb source: NVIDIA Notification.exe, 00000004.00000002.3368806704.00007FF607A47000.00000002.00000001.01000000.00000006.sdmp, NVIDIA Notification.exe, 00000004.00000000.2152261554.00007FF607A47000.00000002.00000001.01000000.00000006.sdmp, NVIDIA Notification.exe, 00000004.00000003.2156076643.000002AD18EF0000.00000004.00001000.00020000.00000000.sdmp, NVIDIA Notification.exe.1.dr
Source:	Binary string: msvcrt.pdbGCTL source: NVIDIA Notification.exe, 00000004.00000003.2159703697.000002AD18C50000.00000004.00001000.00020000.00000000.sdmp, msvcrt.dll.1.dr
Source:	Binary string: bcrypt.pdb source: NVIDIA Notification.exe, 00000004.00000003.2178561411.000002AD172A0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ucrtbase.pdb source: NVIDIA Notification.exe, 00000004.00000003.2160814015.000002AD18CB0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: msvcrt.pdb source: NVIDIA Notification.exe, 00000004.00000003.2159703697.000002AD18C50000.00000004.00001000.00020000.00000000.sdmp, msvcrt.dll.1.dr
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\msvcp140_1.amd64.pdbGCTL source: msvcp140_1.dll.1.dr
Source:	Binary string: rpcrt4.pdbUGP source: NVIDIA Notification.exe, 00000004.00000003.2160112251.000002AD18CE0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: cryptsp.pdb source: NVIDIA Notification.exe, 00000004.00000003.2186795564.000002AD17290000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: UxTheme.pdbUGP source: NVIDIA Notification.exe, 00000004.00000003.2176267619.000002AD18C50000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: dxgi.pdbUGP source: NVIDIA Notification.exe, 00000004.00000003.2175379554.000002AD18CA0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: advapi32.pdb source: NVIDIA Notification.exe, 00000004.00000003.2170273985.000002AD18C60000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: winmm.pdbUGP source: NVIDIA Notification.exe, 00000004.00000003.2186424764.000002AD172A0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdb source: vcruntime140_1.dll.1.dr
Source:	Binary string: crypt32.pdbUGP source: NVIDIA Notification.exe, 00000004.00000003.2160486051.000002AD18D10000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: urlmon.pdb source: NVIDIA Notification.exe, 00000004.00000003.2171284836.000002AD18D90000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: winspool.pdbUGP source: NVIDIA Notification.exe, 00000004.00000003.2185030133.000002AD18C50000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: QimasteredudfhelpUDFJOLIETvolumelabelItemOrderItemPos%s (%d).%sData\Program Files\.cdxml.cer.automaticdestinations-ms.cat.appxbundle.appxpackageWindows.old\.appxWindows\$Windows.~BT\Program Files (x86)\ProgramData\Data\Windows\Program Files\Data\Program Files (x86)\Data\ProgramData\.msp.msu.msip.msm.mpb.msi.jar.mp.etl.fon.dsft.efi.der.dmp.cookie.customdestinations-ms.partial.pdb.p7s.p7x.p7m.p7r.p7b.p7c.p10.p12.ost.otf.ocx.olb.mui.nst.vmcx.vmrs.ttc.vbs.sst.sys.spc.spkg.rll.sft.psc1.psf.pfx.ps1xml.pem.pfm.xapWININET.winmd.wsf.wfs.wim.vsi.vsix\shellft%06dBrowserFlagsAlwaysShowExtNeverShowExtIfExecTopicL source: NVIDIA Notification.exe, 00000004.00000003.2165863950.000002AD19300000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wlanapi.pdb source: NVIDIA Notification.exe, 00000004.00000003.2174063390.000002AD18C30000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: shlwapi.pdb source: NVIDIA Notification.exe, 00000004.00000003.2159538014.000002AD18BB0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: shlwapi.pdbUGP source: NVIDIA Notification.exe, 00000004.00000003.2159538014.000002AD18BB0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: dwmapi.pdbUGP source: NVIDIA Notification.exe, 00000004.00000003.2183164557.000002AD172A0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: kernel32.pdb source: NVIDIA Notification.exe, 00000004.00000003.2158501136.000002AD18C70000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: user32.pdbUGP source: NVIDIA Notification.exe, 00000004.00000003.2161163241.000002AD18D50000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: cryptui.pdbGCTL source: NVIDIA Notification.exe, 00000004.00000003.2177293426.000002AD18BB0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: win32u.pdb source: NVIDIA Notification.exe, 00000004.00000003.2161719031.000002AD172A0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: dwmapi.pdb source: NVIDIA Notification.exe, 00000004.00000003.2183164557.000002AD172A0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: srvcli.pdbUGP source: NVIDIA Notification.exe, 00000004.00000003.2184691366.000002AD17290000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: srvcli.pdb source: NVIDIA Notification.exe, 00000004.00000003.2184691366.000002AD17290000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: imm32.pdb source: NVIDIA Notification.exe, 00000004.00000003.2173581509.000002AD172A0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\msvcp140.amd64.pdb source: msvcp140.dll.1.dr
Source:	Binary string: ws2_32.pdb source: NVIDIA Notification.exe, 00000004.00000003.2159903231.000002AD18BB0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: winspool.pdb source: NVIDIA Notification.exe, 00000004.00000003.2185030133.000002AD18C50000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: iphlpapi.pdbUGP source: NVIDIA Notification.exe, 00000004.00000003.2174728445.000002AD18BB0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: iphlpapi.pdb source: NVIDIA Notification.exe, 00000004.00000003.2174728445.000002AD18BB0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdbUGP source: NVIDIA Notification.exe, 00000004.00000003.2157678976.000002AD18DA0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: winmm.pdb source: NVIDIA Notification.exe, 00000004.00000003.2186424764.000002AD172A0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: d3d9.pdb source: NVIDIA Notification.exe, 00000004.00000003.2181880784.000002AD18D80000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: vcruntime140.dll.1.dr
Source:	Binary string: ole32.pdb source: NVIDIA Notification.exe, 00000004.00000003.2168103368.000002AD18CE0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: win32u.pdbGCTL source: NVIDIA Notification.exe, 00000004.00000003.2161719031.000002AD172A0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\DataUploader.pdb] source: MSIB6EB.tmp.1.dr, MSI28B1.tmp.1.dr
Source:	Binary string: cryptui.pdb source: NVIDIA Notification.exe, 00000004.00000003.2177293426.000002AD18BB0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: imm32.pdbUGP source: NVIDIA Notification.exe, 00000004.00000003.2173581509.000002AD172A0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: iertutil.pdb source: NVIDIA Notification.exe, 00000004.00000003.2183681340.000002AD18E60000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: msvcp_win.pdbUGP source: NVIDIA Notification.exe, 00000004.00000003.2164081106.000002AD18C50000.00000004.00001000.00020000.00000000.sdmp, msvcp_win.dll.1.dr
Source:	Binary string: advapi32.pdbUGP source: NVIDIA Notification.exe, 00000004.00000003.2170273985.000002AD18C60000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: oleaut32.pdbUGP source: NVIDIA Notification.exe, 00000004.00000003.2169862564.000002AD18C80000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: combase.pdb source: NVIDIA Notification.exe, 00000004.00000003.2169126439.000002AD18F10000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: Windows.Storage.pdb source: NVIDIA Notification.exe, 00000004.00000003.2187945112.000002AD19350000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: profapi.pdbUGP source: NVIDIA Notification.exe, 00000004.00000003.2186628091.000002AD17290000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: urlmon.pdbUGP source: NVIDIA Notification.exe, 00000004.00000003.2171284836.000002AD18D90000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: netutils.pdb source: NVIDIA Notification.exe, 00000004.00000003.2185208618.000002AD17280000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: kernelbase.pdb source: NVIDIA Notification.exe, 00000004.00000003.2159080582.000002AD18E90000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: WLDP.pdbUGP source: NVIDIA Notification.exe, 00000004.00000003.2189245256.000002AD172A0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: rpcrt4.pdb source: NVIDIA Notification.exe, 00000004.00000003.2160112251.000002AD18CE0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: d3d11.pdbUGP source: NVIDIA Notification.exe, 00000004.00000003.2177799711.000002AD18E20000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: `OTHER`TEMP`PACKED<%s return value>internal error: failed to write debug data to pdb streaminternal error: failed to add section contributioninternal warning: PDB Error string is "%S"internal error: failed to close debug infointernal error: failed to close PDBinternal error: failed to open PDB for writing in streaminternal error: failed to create debug info in PDBinternal error: failed to add code section to debug infointernal error: failed to add module to debug infointernal error: failed to create type info in PDBinternal error: failed to create inline type info in PDBinternal error: failed to create source file store in PDBinternal error: failed to close source file store in PDBinternal error: failed to close module in debug infointernal error: failed to commit type info in PDBinternal error: failed to commit inline type info in PDBinternal error: failed to add section header to debug infointernal error: failed to append section header to pdbinternal error: failed to close section header in debug infointernal error: failed to close debug info in PDBinternal error: failed to commit PDBinternal error: PDB data too largeinternal error: PDB stream truncatedinternal error: failed to close source file storeinternal error: failed to close type infointernal error: pdb append failedfxl_4_0too many arguments to target TXtoo many outputs to target TXclip not supported in texture shadersinvalid reference to input semantic '%s%d'invalid reference to output semantic '%s%d'0123456789abcdef.pdbVPosSV_ViewportArrayIndexColorFailed to log error, redirecting to debug output: source: NVIDIA Notification.exe, 00000004.00000003.2179169164.000002AD19000000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: cryptsp.pdbUGP source: NVIDIA Notification.exe, 00000004.00000003.2186795564.000002AD17290000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: gdiplus.pdbUGP source: NVIDIA Notification.exe, 00000004.00000003.2176930589.000002AD18D60000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: shcore.pdb source: NVIDIA Notification.exe, 00000004.00000003.2184430657.000002AD18C60000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdb source: MSIB6CB.tmp.1.dr, MSIB62D.tmp.1.dr, MSIB68C.tmp.1.dr, MSIBA38.tmp.1.dr, MSI28B1.tmp.1.dr
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdbGCTL source: vcruntime140.dll.1.dr
Source:	Binary string: d3d9.pdbUGP source: NVIDIA Notification.exe, 00000004.00000003.2181880784.000002AD18D80000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: oleacc.pdb source: NVIDIA Notification.exe, 00000004.00000003.2186161817.000002AD18BB0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: shell32.pdb source: NVIDIA Notification.exe, 00000004.00000003.2165863950.000002AD19300000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: msvcp_win.pdb source: NVIDIA Notification.exe, 00000004.00000003.2164081106.000002AD18C50000.00000004.00001000.00020000.00000000.sdmp, msvcp_win.dll.1.dr
Source:	Binary string: wlanapi.pdbUGP source: NVIDIA Notification.exe, 00000004.00000003.2174063390.000002AD18C30000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: gdi32.pdbUGP source: NVIDIA Notification.exe, 00000004.00000003.2162153115.000002AD172A0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D3DCompiler_47.pdbGCTL source: NVIDIA Notification.exe, 00000004.00000003.2179169164.000002AD19000000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: msimg32.pdb source: NVIDIA Notification.exe, 00000004.00000003.2177463857.000002AD17280000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: combase.pdbUGP source: NVIDIA Notification.exe, 00000004.00000003.2169126439.000002AD18F10000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\DataUploader.pdb source: MSIB6EB.tmp.1.dr, MSI28B1.tmp.1.dr
Source:	Binary string: oledlg.pdbGCTL source: NVIDIA Notification.exe, 00000004.00000003.2189077926.000002AD18BB0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: gdi32full.pdb source: NVIDIA Notification.exe, 00000004.00000003.2163307649.000002AD18CC0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdbn source: MSIB6CB.tmp.1.dr, MSIB62D.tmp.1.dr, MSIB68C.tmp.1.dr, MSIBA38.tmp.1.dr, MSI28B1.tmp.1.dr
Source:	Binary string: d3d11.pdb source: NVIDIA Notification.exe, 00000004.00000003.2177799711.000002AD18E20000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ucrtbase.pdbUGP source: NVIDIA Notification.exe, 00000004.00000003.2160814015.000002AD18CB0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: gdiplus.pdb source: NVIDIA Notification.exe, 00000004.00000003.2176930589.000002AD18D60000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: bcrypt.pdbUGP source: NVIDIA Notification.exe, 00000004.00000003.2178561411.000002AD172A0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: oledlg.pdb source: NVIDIA Notification.exe, 00000004.00000003.2189077926.000002AD18BB0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: shell32.pdbUGP source: NVIDIA Notification.exe, 00000004.00000003.2165863950.000002AD19300000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdbGCTL source: vcruntime140_1.dll.1.dr
Source:	Binary string: gdi32full.pdbUGP source: NVIDIA Notification.exe, 00000004.00000003.2163307649.000002AD18CC0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: gdi32.pdb source: NVIDIA Notification.exe, 00000004.00000003.2162153115.000002AD172A0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: kernel32.pdbUGP source: NVIDIA Notification.exe, 00000004.00000003.2158501136.000002AD18C70000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: profapi.pdb source: NVIDIA Notification.exe, 00000004.00000003.2186628091.000002AD17290000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: WLDP.pdb source: NVIDIA Notification.exe, 00000004.00000003.2189245256.000002AD172A0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: shcore.pdbUGP source: NVIDIA Notification.exe, 00000004.00000003.2184430657.000002AD18C60000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\msvcp140.amd64.pdbGCTL source: msvcp140.dll.1.dr
Source:	Binary string: sechost.pdb source: NVIDIA Notification.exe, 00000004.00000003.2171035452.000002AD18C50000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\msvcp140_1.amd64.pdb source: msvcp140_1.dll.1.dr
Source:	Binary string: ole32.pdbUGP source: NVIDIA Notification.exe, 00000004.00000003.2168103368.000002AD18CE0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: Windows.Storage.pdbUGP source: NVIDIA Notification.exe, 00000004.00000003.2187945112.000002AD19350000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: Kernel.Appcore.pdbUGP source: NVIDIA Notification.exe, 00000004.00000003.2186943772.000002AD17280000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: sechost.pdbUGP source: NVIDIA Notification.exe, 00000004.00000003.2171035452.000002AD18C50000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: msimg32.pdbUGP source: NVIDIA Notification.exe, 00000004.00000003.2177463857.000002AD17280000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: user32.pdb source: NVIDIA Notification.exe, 00000004.00000003.2161163241.000002AD18D50000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: comctl32.pdbUGP source: NVIDIA Notification.exe, 00000004.00000003.2185653824.000002AD18E50000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: kernelbase.pdbUGP source: NVIDIA Notification.exe, 00000004.00000003.2159080582.000002AD18E90000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: Kernel.Appcore.pdb source: NVIDIA Notification.exe, 00000004.00000003.2186943772.000002AD17280000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D3DCompiler_47.pdb source: NVIDIA Notification.exe, 00000004.00000003.2179169164.000002AD19000000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdb source: NVIDIA Notification.exe, 00000004.00000003.2157678976.000002AD18DA0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: oleaut32.pdb source: NVIDIA Notification.exe, 00000004.00000003.2169862564.000002AD18C80000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: dxgi.pdb source: NVIDIA Notification.exe, 00000004.00000003.2175379554.000002AD18CA0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: comctl32.pdb source: NVIDIA Notification.exe, 00000004.00000003.2185653824.000002AD18E50000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ws2_32.pdbUGP source: NVIDIA Notification.exe, 00000004.00000003.2159903231.000002AD18BB0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: iertutil.pdbUGP source: NVIDIA Notification.exe, 00000004.00000003.2183681340.000002AD18E60000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: crypt32.pdb source: NVIDIA Notification.exe, 00000004.00000003.2160486051.000002AD18D10000.00000004.00001000.00020000.00000000.sdmp

Source: C:\Windows\System32\msiexec.exe	File opened: z:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: x:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: v:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: t:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: r:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: p:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: n:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: l:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: j:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: h:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: f:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: b:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: y:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: w:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: u:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: s:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: q:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: o:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: m:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: k:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: i:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: g:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: e:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: c:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: a:	Jump to behavior

Source: Yara match

File source: sslproxydump.pcap, type: PCAP

Source: C:\Users\user\AppData\Roaming\nvidia\NVIDIA Notification.exe	Code function: 4_2_00007FF6078C6230 FindFirstFileW,cef_v8value_create_int,cef_v8value_create_int,cef_v8value_create_int,cef_v8value_create_int,cef_v8value_create_int,FindNextFileW,FindClose,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,	4_2_00007FF6078C6230
Source: C:\Users\user\AppData\Roaming\nvidia\NVIDIA Notification.exe	Code function: 4_2_00007FF8A75750A8 _errno,_invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_errno,_errno,_errno,__time64_t_from_ft,__time64_t_from_ft,__time64_t_from_ft,_invoke_watson,	4_2_00007FF8A75750A8
Source: C:\Users\user\AppData\Roaming\nvidia\NVIDIA Notification.exe	Code function: 4_2_00007FF8A74029A4 GetFullPathNameW,PathIsUNCW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose,	4_2_00007FF8A74029A4
Source: C:\Windows\explorer.exe	Code function: 6_2_0838AA7C FindFirstFileW,FindNextFileW,LoadLibraryW,	6_2_0838AA7C
Source: C:\Windows\explorer.exe	Code function: 6_2_08382B28 FindFirstFileA,wsprintfA,FindNextFileA,FindClose,	6_2_08382B28
Source: C:\Windows\explorer.exe	Code function: 6_2_08390560 FindFirstFileW,	6_2_08390560

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2829202 - Severity 1 - ETPRO MALWARE MSIL/Zbrain PUP/Stealer Installer UA : 192.168.2.5:49707 -> 104.21.23.216:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.5:49981 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.5:49982 -> 104.21.95.192:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.5:49985 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.5:49986 -> 104.21.95.192:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.5:49983 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.5:49993 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.5:50001 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.5:49988 -> 104.21.95.192:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.5:49998 -> 104.21.95.192:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.5:49989 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.5:49997 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.5:49987 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.5:49984 -> 104.21.95.192:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.5:49994 -> 104.21.95.192:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.5:50000 -> 104.21.95.192:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.5:50002 -> 104.21.95.192:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.5:50008 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.5:50006 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.5:49991 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.5:50005 -> 104.21.95.192:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.5:50004 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.5:49999 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.5:49990 -> 104.21.95.192:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.5:49995 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.5:49992 -> 104.21.95.192:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.5:50007 -> 104.21.95.192:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.5:50010 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.5:50009 -> 104.21.95.192:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.5:49996 -> 104.21.95.192:443
Source: Network traffic	Suricata IDS: 2048735 - Severity 1 - ET MALWARE Latrodectus Loader Related Activity (POST) : 192.168.2.5:50011 -> 104.21.95.192:443

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 104.21.95.192 443			Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 188.114.96.3 443			Jump to behavior

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: https://tynifinilam.com/test/
Source: Malware configuration extractor	URLs: https://horetimodual.com/test/

Source: global traffic	TCP traffic: 192.168.2.5:49716 -> 194.76.227.108:7999
Source: global traffic	TCP traffic: 192.168.2.5:49734 -> 108.181.182.132:7999

Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3

Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View	JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4
Source: Joe Sandbox View	JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49986 -> 104.21.95.192:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49981 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49985 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49990 -> 104.21.95.192:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49983 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49984 -> 104.21.95.192:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49987 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49996 -> 104.21.95.192:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49993 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49998 -> 104.21.95.192:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49988 -> 104.21.95.192:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49991 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49995 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:50000 -> 104.21.95.192:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49999 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49994 -> 104.21.95.192:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:50006 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:50008 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:50004 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:50010 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:50007 -> 104.21.95.192:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:50009 -> 104.21.95.192:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:50001 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:50011 -> 104.21.95.192:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:50005 -> 104.21.95.192:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49982 -> 104.21.95.192:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49997 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:50002 -> 104.21.95.192:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49989 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49992 -> 104.21.95.192:443

Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: Fap8BGHxobQ2bxYxlWut9aEExDaliFTPvjV9hI81N0V+FXszy0sMlsZ7B+Ze9MDdoaIEcIFLxQSiY2N8xhZidYkTnrgbZK9Ji4RRslvqYmAKAW2joM5zRei/drRbx2CsrVZARnteXj6cXmJZH20We0L3B78c/XYq5EO36Ov+XhFHZ2dPN0A=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: tynifinilam.comContent-Length: 92Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: Fap8BGHxobQ2bxYxlWut9aEExDaliFTPvjV9hI81N0V+FXszy0sMlsZ7B+Ze9MDdoaIEcIFLxQSiY2N8xhZidYkTnrgbZK9Ji4RRslvqYmAKAW2joM5zRei/drRbx2CsrVZARnteXj6cXmJZH20We0L3B78c/XY28l+7+uv9WBlTayUCO0LqUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: horetimodual.comContent-Length: 92Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: Fap8BGHxobQ2bxYxlWut9aEExDaliFTPvjV9hI81N0V+FXszy0sMlsZ7B+Ze9MDdoaIEcIFLxQSiY2N8xhZidYkTnrgbZK9Ji4RRslvqYmAKAW2joM5zRei/drRbx2CsrVZARnteXj6cXmJZH20We0L3B78c/XYq5EO36Ov+XhFHZ2dPN0A=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: tynifinilam.comContent-Length: 92Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: Fap8BGHxobQ2bxYxlWut9aEExDaliFTPvjV9hI81N0V+FXszy0sMlsZ7B+Ze9MDdoaIEcIFLxQSiY2N8xhZidYkTnrgbZK9Ji4RRslvqYmAKAW2joM5zRei/drRbx2CsrVZARnteXj6cXmJZH20We0L3B78c/XY28l+7+uv9WBlTayUCO0LqUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: horetimodual.comContent-Length: 92Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: Fap8BGHxobQ2bxYxlWut9aEExDaliFTPvjV9hI81N0V+FXszy0sMlsZ7B+Ze9MDdoaIEcIFLxQSiY2N8xhZidYkTnrgbZK9Ji4RRslvqYmAKAW2joM5zRei/drRbx2CsrVZARnteXj6cXmJZH20We0L3B78c/XYq5EO36Ov+XhFHZ2dPN0A=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: tynifinilam.comContent-Length: 92Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: Fap8BGHxobQ2bxYxlWut9aEExDaliFTPvjV9hI81N0V+FXszy0sMlsZ7B+Ze9MDdoaIEcIFLxQSiY2N8xhZidYkTnrgbZK9Ji4RRslvqYmAKAW2joM5zRei/drRbx2CsrVZARnteXj6cXmJZH20We0L3B78c/XY28l+7+uv9WBlTayUCO0LqUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: horetimodual.comContent-Length: 92Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: Fap8BGHxobQ2bxYxlWut9aEExDaliFTPvjV9hI81N0V+FXszy0sMlsZ7B+Ze9MDdoaIEcIFLxQSiY2N8xhZidYkTnrgbZK9Ji4RRslvqYmAKAW2joM5zRei/drRbx2CsrVZARnteXj6cXmJZH20We0L3B78c/XYq5EO36Ov+XhFHZ2dPN0A=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: tynifinilam.comContent-Length: 92Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: Fap8BGHxobQ2bxYxlWut9aEExDaliFTPvjV9hI81N0V+FXszy0sMlsZ7B+Ze9MDdoaIEcIFLxQSiY2N8xhZidYkTnrgbZK9Ji4RRslvqYmAKAW2joM5zRei/drRbx2CsrVZARnteXj6cXmJZH20We0L3B78c/XY28l+7+uv9WBlTayUCO0LqUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: horetimodual.comContent-Length: 92Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: Fap8BGHxobQ2bxYxlWut9aEExDaliFTPvjV9hI81N0V+FXszy0sMlsZ7B+Ze9MDdoaIEcIFLxQSiY2N8xhZidYkTnrgbZK9Ji4RRslvqYmAKAW2joM5zRei/drRbx2CsrVZARnteXj6cXmJZH20We0L3B78c/XYq5EO36Ov+XhFHZ2dPN0A=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: tynifinilam.comContent-Length: 92Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: Fap8BGHxobQ2bxYxlWut9aEExDaliFTPvjV9hI81N0V+FXszy0sMlsZ7B+Ze9MDdoaIEcIFLxQSiY2N8xhZidYkTnrgbZK9Ji4RRslvqYmAKAW2joM5zRei/drRbx2CsrVZARnteXj6cXmJZH20We0L3B78c/XY28l+7+uv9WBlTayUCO0LqUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: horetimodual.comContent-Length: 92Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: Fap8BGHxobQ2bxYxlWut9aEExDaliFTPvjV9hI81N0V+FXszy0sMlsZ7B+Ze9MDdoaIEcIFLxQSiY2N8xhZidYkTnrgbZK9Ji4RRslvqYmAKAW2joM5zRei/drRbx2CsrVZARnteXj6cXmJZH20We0L3B78c/XYq5EO36Ov+XhFHZ2dPN0A=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: tynifinilam.comContent-Length: 92Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: Fap8BGHxobQ2bxYxlWut9aEExDaliFTPvjV9hI81N0V+FXszy0sMlsZ7B+Ze9MDdoaIEcIFLxQSiY2N8xhZidYkTnrgbZK9Ji4RRslvqYmAKAW2joM5zRei/drRbx2CsrVZARnteXj6cXmJZH20We0L3B78c/XY28l+7+uv9WBlTayUCO0LqUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: horetimodual.comContent-Length: 92Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: Fap8BGHxobQ2bxYxlWut9aEExDaliFTPvjV9hI81N0V+FXszy0sMlsZ7B+Ze9MDdoaIEcIFLxQSiY2N8xhZidYkTnrgbZK9Ji4RRslvqYmAKAW2joM5zRei/drRbx2CsrVZARnteXj6cXmJZH20We0L3B78c/XYq5EO36Ov+XhFHZ2dPN0A=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: tynifinilam.comContent-Length: 92Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: Fap8BGHxobQ2bxYxlWut9aEExDaliFTPvjV9hI81N0V+FXszy0sMlsZ7B+Ze9MDdoaIEcIFLxQSiY2N8xhZidYkTnrgbZK9Ji4RRslvqYmAKAW2joM5zRei/drRbx2CsrVZARnteXj6cXmJZH20We0L3B78c/XY28l+7+uv9WBlTayUCO0LqUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: horetimodual.comContent-Length: 92Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: Fap8BGHxobQ2bxYxlWut9aEExDaliFTPvjV9hI81N0V+FXszy0sMlsZ7B+Ze9MDdoaIEcIFLxQSiY2N8xhZidYkTnrgbZK9Ji4RRslvqYmAKAW2joM5zRei/drRbx2CsrVZARnteXj6cXmJZH20We0L3B78c/XYq5EO36Ov+XhFHZ2dPN0A=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: tynifinilam.comContent-Length: 92Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: Fap8BGHxobQ2bxYxlWut9aEExDaliFTPvjV9hI81N0V+FXszy0sMlsZ7B+Ze9MDdoaIEcIFLxQSiY2N8xhZidYkTnrgbZK9Ji4RRslvqYmAKAW2joM5zRei/drRbx2CsrVZARnteXj6cXmJZH20We0L3B78c/XY28l+7+uv9WBlTayUCO0LqUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: horetimodual.comContent-Length: 92Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: Fap8BGHxobQ2bxYxlWut9aEExDaliFTPvjV9hI81N0V+FXszy0sMlsZ7B+Ze9MDdoaIEcIFLxQSiY2N8xhZidYkTnrgbZK9Ji4RRslvqYmAKAW2joM5zRei/drRbx2CsrVZARnteXj6cXmJZH20We0L3B78c/XYq5EO36Ov+XhFHZ2dPN0A=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: tynifinilam.comContent-Length: 92Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: Fap8BGHxobQ2bxYxlWut9aEExDaliFTPvjV9hI81N0V+FXszy0sMlsZ7B+Ze9MDdoaIEcIFLxQSiY2N8xhZidYkTnrgbZK9Ji4RRslvqYmAKAW2joM5zRei/drRbx2CsrVZARnteXj6cXmJZH20We0L3B78c/XY28l+7+uv9WBlTayUCO0LqUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: horetimodual.comContent-Length: 92Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: Fap8BGHxobQ2bxYxlWut9aEExDaliFTPvjV9hI81N0V+FXszy0sMlsZ7B+Ze9MDdoaIEcIFLxQSiY2N8xhZidYkTnrgbZK9Ji4RRslvqYmAKAW2joM5zRei/drRbx2CsrVZARnteXj6cXmJZH20We0L3B78c/XYq5EO36Ov+XhFHZ2dPN0A=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: tynifinilam.comContent-Length: 92Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: Fap8BGHxobQ2bxYxlWut9aEExDaliFTPvjV9hI81N0V+FXszy0sMlsZ7B+Ze9MDdoaIEcIFLxQSiY2N8xhZidYkTnrgbZK9Ji4RRslvqYmAKAW2joM5zRei/drRbx2CsrVZARnteXj6cXmJZH20We0L3B78c/XY28l+7+uv9WBlTayUCO0LqUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: horetimodual.comContent-Length: 92Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: Fap8BGHxobQ2bxYxlWut9aEExDaliFTPvjV9hI81N0V+FXszy0sMlsZ7B+Ze9MDdoaIEcIFLxQSiY2N8xhZidYkTnrgbZK9Ji4RRslvqYmAKAW2joM5zRei/drRbx2CsrVZARnteXj6cXmJZH20We0L3B78c/XYq5EO36Ov+XhFHZ2dPN0A=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: tynifinilam.comContent-Length: 92Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: Fap8BGHxobQ2bxYxlWut9aEExDaliFTPvjV9hI81N0V+FXszy0sMlsZ7B+Ze9MDdoaIEcIFLxQSiY2N8xhZidYkTnrgbZK9Ji4RRslvqYmAKAW2joM5zRei/drRbx2CsrVZARnteXj6cXmJZH20We0L3B78c/XY28l+7+uv9WBlTayUCO0LqUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: horetimodual.comContent-Length: 92Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: Fap8BGHxobQ2bxYxlWut9aEExDaliFTPvjV9hI81N0V+FXszy0sMlsZ7B+Ze9MDdoaIEcIFLxQSiY2N8xhZidYkTnrgbZK9Ji4RRslvqYmAKAW2joM5zRei/drRbx2CsrVZARnteXj6cXmJZH20We0L3B78c/XYq5EO36Ov+XhFHZ2dPN0A=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: tynifinilam.comContent-Length: 92Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: Fap8BGHxobQ2bxYxlWut9aEExDaliFTPvjV9hI81N0V+FXszy0sMlsZ7B+Ze9MDdoaIEcIFLxQSiY2N8xhZidYkTnrgbZK9Ji4RRslvqYmAKAW2joM5zRei/drRbx2CsrVZARnteXj6cXmJZH20We0L3B78c/XY28l+7+uv9WBlTayUCO0LqUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: horetimodual.comContent-Length: 92Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: Fap8BGHxobQ2bxYxlWut9aEExDaliFTPvjV9hI81N0V+FXszy0sMlsZ7B+Ze9MDdoaIEcIFLxQSiY2N8xhZidYkTnrgbZK9Ji4RRslvqYmAKAW2joM5zRei/drRbx2CsrVZARnteXj6cXmJZH20We0L3B78c/XYq5EO36Ov+XhFHZ2dPN0A=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: tynifinilam.comContent-Length: 92Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: Fap8BGHxobQ2bxYxlWut9aEExDaliFTPvjV9hI81N0V+FXszy0sMlsZ7B+Ze9MDdoaIEcIFLxQSiY2N8xhZidYkTnrgbZK9Ji4RRslvqYmAKAW2joM5zRei/drRbx2CsrVZARnteXj6cXmJZH20We0L3B78c/XY28l+7+uv9WBlTayUCO0LqUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: horetimodual.comContent-Length: 92Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: Fap8BGHxobQ2bxYxlWut9aEExDaliFTPvjV9hI81N0V+FXszy0sMlsZ7B+Ze9MDdoaIEcIFLxQSiY2N8xhZidYkTnrgbZK9Ji4RRslvqYmAKAW2joM5zRei/drRbx2CsrVZARnteXj6cXmJZH20We0L3B78c/XYq5EO36Ov+XhFHZ2dPN0A=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: tynifinilam.comContent-Length: 92Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: Fap8BGHxobQ2bxYxlWut9aEExDaliFTPvjV9hI81N0V+FXszy0sMlsZ7B+Ze9MDdoaIEcIFLxQSiY2N8xhZidYkTnrgbZK9Ji4RRslvqYmAKAW2joM5zRei/drRbx2CsrVZARnteXj6cXmJZH20We0L3B78c/XY28l+7+uv9WBlTayUCO0LqUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: horetimodual.comContent-Length: 92Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: Fap8BGHxobQ2bxYxlWut9aEExDaliFTPvjV9hI81N0V+FXszy0sMlsZ7B+Ze9MDdoaIEcIFLxQSiY2N8xhZidYkTnrgbZK9Ji4RRslvqYmAKAW2joM5zRei/drRbx2CsrVZARnteXj6cXmJZH20We0L3B78c/XYq5EO36Ov+XhFHZ2dPN0A=User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: tynifinilam.comContent-Length: 92Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /test/ HTTP/1.1Accept: /Content-Type: application/x-www-form-urlencodedCookie: Fap8BGHxobQ2bxYxlWut9aEExDaliFTPvjV9hI81N0V+FXszy0sMlsZ7B+Ze9MDdoaIEcIFLxQSiY2N8xhZidYkTnrgbZK9Ji4RRslvqYmAKAW2joM5zRei/drRbx2CsrVZARnteXj6cXmJZH20We0L3B78c/XY28l+7+uv9WBlTayUCO0LqUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: horetimodual.comContent-Length: 92Cache-Control: no-cache

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Windows\explorer.exe

Code function: 6_2_083851DC InternetReadFile,

6_2_083851DC

Source: global traffic

HTTP traffic detected: GET /calma.php HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows InstallerHost: streameqst.live

Source: NVIDIA Notification.exe, 00000004.00000002.3368806704.00007FF607A47000.00000002.00000001.01000000.00000006.sdmp, NVIDIA Notification.exe, 00000004.00000000.2152261554.00007FF607A47000.00000002.00000001.01000000.00000006.sdmp, NVIDIA Notification.exe, 00000004.00000003.2156076643.000002AD18EF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/watch equals www.youtube.com (Youtube)
Source: NVIDIA Notification.exe, 00000004.00000002.3368806704.00007FF607A47000.00000002.00000001.01000000.00000006.sdmp, NVIDIA Notification.exe, 00000004.00000000.2152261554.00007FF607A47000.00000002.00000001.01000000.00000006.sdmp, NVIDIA Notification.exe, 00000004.00000003.2156076643.000002AD18EF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/watch` equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: streameqst.live
Source: global traffic	DNS traffic detected: DNS query: dimidroli.com
Source: global traffic	DNS traffic detected: DNS query: domskufidona.com
Source: global traffic	DNS traffic detected: DNS query: tynifinilam.com
Source: global traffic	DNS traffic detected: DNS query: horetimodual.com

Source: unknown

HTTP traffic detected: POST /dort.php HTTP/1.1Content-Type: application/x-www-form-urlencoded; charset=utf-8User-Agent: AdvancedInstallerHost: streameqst.liveContent-Length: 85Cache-Control: no-cache

Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Wed, 19 Feb 2025 18:03:52 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=0BWjyOiUsOubZpJ6MK29JZ84%2FjGj9HPVXsoX191WRm1Yi7wO6X56YlRuziUTZTfCSv0m%2FG6y%2BudEehJ5llW3mnqulH3C6ygyVHm1Gey7F1kLIutp72jRb%2B059TVV4D8PDXM%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91482d15ad098287-IADalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=7267&min_rtt=7255&rtt_var=2746&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2836&recv_bytes=1169&delivery_rate=396846&cwnd=32&unsent_bytes=0&cid=e2254f428238e93d&ts=418&x=0"
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Wed, 19 Feb 2025 18:03:53 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2Bnd82d7TXO54fHFkx3aXzZRA2kmBWMO00CAifyZM%2BpjBhZ8dgjs2Jf2PxQmPAZery%2FiC6Nc7ZKtQE2ytVNpV%2FgbsO5WWkwBnUcoxo3pPspK7kw%2BRiy7YBYtpw7eFJ0Xqy0CY"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91482d1b688315a3-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1601&min_rtt=1597&rtt_var=607&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2842&recv_bytes=1170&delivery_rate=1792510&cwnd=129&unsent_bytes=0&cid=efa76328403f60b3&ts=342&x=0"
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Wed, 19 Feb 2025 18:03:54 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=SXI4FYCTfqJX6BdN2H0K%2FM5hWPF%2BoXfMRBi4SSEkt7scgnpJFv2ef4dND%2Frtw8l9qwm0%2BQD8LHs5opGFTghNH8Ao30fZSkcOlmYtBKQcFLUP%2FN5z9O8%2FKP1iXr%2BdxLO1zuA%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91482d212c05c588-IADalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=7012&min_rtt=7002&rtt_var=2645&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2837&recv_bytes=1169&delivery_rate=412312&cwnd=32&unsent_bytes=0&cid=33fe88f9f2f6a5e4&ts=441&x=0"
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Wed, 19 Feb 2025 18:03:55 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=g22II7Q0ogBbKGtxcse3pEovRe1iz57h00l%2FJERgtdnwOVHJxC74a%2B25Hf72SdaAi%2Fg9ZRwsdjvri4WvdRn1CTI1C197v1ImDiYVLZaTJVjxMIdwXJDrWfKZikn2evb0YSUn"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91482d26dc930fa1-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1924&min_rtt=1611&rtt_var=828&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2842&recv_bytes=1170&delivery_rate=1812538&cwnd=252&unsent_bytes=0&cid=940914062c459684&ts=338&x=0"
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Wed, 19 Feb 2025 18:03:56 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2FJ0KzG1K3STv7KW9VTRk6Mn9SlsZSfn%2FNWhQGttL2w6KxwoXQs4QFtmBuVAMwKEw7Eq1JKRs3in6Wf%2B2d3%2FKa%2Bd4Cxu0aYGQ3XiF3ExyTqHYbBzvsQQFbVIlwWAqEzUAvW4%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91482d2c0eb68302-IADalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=7159&min_rtt=7149&rtt_var=2701&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2837&recv_bytes=1169&delivery_rate=403761&cwnd=32&unsent_bytes=0&cid=cf9410b7a01d6e4a&ts=410&x=0"
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Wed, 19 Feb 2025 18:03:57 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=8DyHvhI76FPdlvZRJcoXIp1TSCrO6D4weuho4kYANCxtSSEswZZoMEiEXVqXJOzZbzTz3IQWkmZhKXERxdYHOdEnmX5gPwRpi1SfGtUKG%2B4LFEykfMnDbWxrLW5GOVldrNTV"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91482d317cd4440c-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1710&min_rtt=1702&rtt_var=654&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2841&recv_bytes=1170&delivery_rate=1653454&cwnd=252&unsent_bytes=0&cid=b3d0f5d84674a630&ts=343&x=0"
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Wed, 19 Feb 2025 18:03:58 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=OlW8KccfTxnHUUObqpnWdxuqNBSrODx83IY%2BWFysV%2BCVjG6qf1ErX5QyZjkCAOnIuHlgQ4jfLHnEuWr61ov0PrG%2BhvDELRGAQ87%2BDU7Ih6Uxy7G7ZJsTWJR1rmdV4xJRvdc%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91482d36cb96802d-IADalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=7669&min_rtt=7666&rtt_var=2882&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2837&recv_bytes=1169&delivery_rate=379467&cwnd=32&unsent_bytes=0&cid=77b5fb0c136957ce&ts=406&x=0"
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Wed, 19 Feb 2025 18:03:58 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=NQoe9zAvp9KmLHv4ZzlKZF8J5OyKRysnPGrEOo0RrCk15TSz5ILKXSC0vB1%2F2ETxmpUwo2aKqC7sCZYtUIWDxN0CNBgJk6eLbLBni%2BfpAqCeXCcpVEW3R0uteiW1NXhJT3aX"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91482d3c38b841f3-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1535&min_rtt=1528&rtt_var=587&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2842&recv_bytes=1170&delivery_rate=1839949&cwnd=225&unsent_bytes=0&cid=b64586008c80e478&ts=345&x=0"
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Wed, 19 Feb 2025 18:03:59 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=BcowDoz8t4QqXrxzRDYmzDTSvTtxySZy8uS%2BrpxGpnDsq965bnhgTpmc4VsQFy4f1CZ0Wuo4pjRU1Q%2BLlsh71M5r%2Fe4%2Bsi4Y5lo65gwXsSwrKl0QpN7K5p%2BFKHFIlHzLmXo%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91482d4168cac5ad-IADalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=7194&min_rtt=7190&rtt_var=2706&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2836&recv_bytes=1169&delivery_rate=403928&cwnd=32&unsent_bytes=0&cid=c37c5c9bdbe732e2&ts=397&x=0"
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Wed, 19 Feb 2025 18:04:00 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=eTLrf9DG1EL3jHX9vjybcZD2IJ4PVEus%2BnI8R%2B1hJPeUoMb8LVq6wavh7GTM75jYz7BC%2Bw9xYOM8Bi73fg%2F3tSGYcDAyJKv%2Br7mXomyqyfMwwt4OPv%2FiixpMDlkE5FdPxmwR"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91482d46cf8215a3-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1625&min_rtt=1620&rtt_var=618&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2843&recv_bytes=1170&delivery_rate=1756919&cwnd=129&unsent_bytes=0&cid=267b0c7429f52738&ts=339&x=0"
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Wed, 19 Feb 2025 18:04:01 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=lLHLRVf8W0Fmrm1eCzTLI8jfP3CPlLrR3FE7xKnVj4YRIVxya1qtZDcq3k167Wrw4AbS%2B%2FUqgGEVO1WTpjUAEAr6bry2EaRtuU%2BzEUM6Xx%2FWspBJzOSKjmKHRyeQ0lRSwE4%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91482d4be92a8274-IADalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=7177&min_rtt=7168&rtt_var=2695&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2837&recv_bytes=1169&delivery_rate=407366&cwnd=32&unsent_bytes=0&cid=d2d46782351dd132&ts=403&x=0"
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Wed, 19 Feb 2025 18:04:02 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=wmcXmK3s4C3OqVCaBHZzKga%2F6tFTH4BmM9kxHCrXDE57G0ppIBZ4WoAqxncX6dOyWzpITg09oGnxXRg5xZV4bbQoRLAYCYcg5UIoXRK5qGjWmCgGFTv9Dgd1O9WXd5rZGT9K"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91482d515bed41f3-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1581&min_rtt=1577&rtt_var=601&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2841&recv_bytes=1170&delivery_rate=1808049&cwnd=225&unsent_bytes=0&cid=7a0294e707c8c161&ts=330&x=0"
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Wed, 19 Feb 2025 18:04:03 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=7KeGy8RZkLn%2BxRzvAxixfnS8UUfM%2B4KUyf7eY8ipIB99Am2xTgJ9%2BzpjEFY0h1M2SY64zmt8o9EBAR9jSE0EDxD4gkXBRjRYS0cNveNABiDpOtX%2B0MuKw2bHJ5Hlv0JJIis%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91482d568996825d-IADalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=7231&min_rtt=7227&rtt_var=2719&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2836&recv_bytes=1169&delivery_rate=401927&cwnd=32&unsent_bytes=0&cid=3538d2a2cb874236&ts=432&x=0"
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Wed, 19 Feb 2025 18:04:04 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=JY%2FsgE%2B3gp9UcNRRGM3rSu%2BjCtT1OZBtAoDamlgE2bETsIaxAFlFnhs%2Bpr4ZiNXXFZtO9XkTHho%2Bi84rVpH7pbW7wGFamQcoj0O5xyLQ%2F1MmEiiVnsWPhdb%2F09i2sWwMAjgY"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91482d5c2b4e41f3-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1521&min_rtt=1507&rtt_var=593&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2842&recv_bytes=1170&delivery_rate=1801357&cwnd=225&unsent_bytes=0&cid=c3616864820611aa&ts=334&x=0"
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Wed, 19 Feb 2025 18:04:04 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=xAtw5KhC7yv5OOwlRjqp4yk18W9sl%2BJBwHS3SAt2wODFSVD9nm10dLnV%2FL5H2dI7jDamg0oG029XBMhijmRoz%2BjCuZPuAeRER0W9PujG2wzsWayQEBFah%2Fd222a4vDHh69M%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91482d61a822c5ab-IADalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=7313&min_rtt=7078&rtt_var=2822&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2836&recv_bytes=1169&delivery_rate=412545&cwnd=32&unsent_bytes=0&cid=62db1d3714f9f0e9&ts=401&x=0"
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Wed, 19 Feb 2025 18:04:05 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=aXGMG6x4pjVMVPGqyWB2y6Cd4kl2LN6XGbrxKkZZliyiIbzEnJ%2Fh%2BW9xqYmMRS6ofai%2FOHcf8ioY7qZTSk0w6ylRBOO3BApnMMIMSgI0eMxUTdyjAM%2BYxjGIr%2BzFAB2WMiav"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91482d66eaa815a3-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1623&min_rtt=1615&rtt_var=622&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2842&recv_bytes=1170&delivery_rate=1738095&cwnd=129&unsent_bytes=0&cid=3f6c6c93f847f7d5&ts=323&x=0"
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Wed, 19 Feb 2025 18:04:06 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=x%2FwGyz3iHj4gLHkHvJ9QMU14n%2BaKaOiVA%2Bj0oSzq94MDMMEdn8Q8zSvnZ%2Fo8A9vh2GjszBSz575KluuIHf65HBnr0%2BmxAARVIReXo6m0FgnnNwD4mm%2BCl4SY%2FhghMpzIVIA%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91482d6cac9282e4-IADalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=7181&min_rtt=7141&rtt_var=2759&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2837&recv_bytes=1169&delivery_rate=391106&cwnd=32&unsent_bytes=0&cid=50c9e43639d18af3&ts=405&x=0"
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Wed, 19 Feb 2025 18:04:07 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=b2gDmKDKd%2BtoqJioQhqeGCivJctbyJXwota%2Fh7aGFHd%2Bdym1%2BiV67Zxl83BZInS6pOxic63yeGGlJAO9ChPU2GchdPcL6%2B2UQUYvwa%2FXLKLPJEDHt%2FjixEHRQoMwZ36sZ4mI"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91482d720b68440c-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1754&min_rtt=1669&rtt_var=687&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2841&recv_bytes=1170&delivery_rate=1749550&cwnd=252&unsent_bytes=0&cid=1ec6f88d962a37ef&ts=322&x=0"
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Wed, 19 Feb 2025 18:04:08 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=V7cmHssjL8Hb8mD8O1gBnkzuRhsK67EHQq7%2BpPcR6%2F0bzcmSSu35ag7PVuAHtP8NpMTV6qIEhQsqTFsNS%2BxhKtaNSzZRu8bDxvJdXsN5IXjBg%2B4HpLe8sH0qR9XQVtO7gDY%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91482d7788dac59a-IADalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=7401&min_rtt=7395&rtt_var=2786&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2836&recv_bytes=1169&delivery_rate=392051&cwnd=32&unsent_bytes=0&cid=4caef772acaf18e9&ts=434&x=0"
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Wed, 19 Feb 2025 18:04:09 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=3xsXDT36Skk3M8F6eaEhxM1pHLsg2e0qt158s3ny7HLCoFs5tj2ZMjBz4kKI1LgR7Z1rX9MPpBiVeHKtHrFCsNpt5KSrrqEcFyJs37zkGV9qhcuUFCSbnDjYQsPzjRTfjzDv"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91482d7ceb040fa1-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1498&min_rtt=1497&rtt_var=562&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2841&recv_bytes=1170&delivery_rate=1950567&cwnd=252&unsent_bytes=0&cid=f676e212f81822fe&ts=348&x=0"
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Wed, 19 Feb 2025 18:04:10 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=4u%2FYVuBI4Cs4Z1IGVfp1G8qrMnIS30fvAhmJpL8Wh6HtmmEk1OMSoYE%2Bihb7i%2FQga7ts5HXD7OfX6Zmmnm5WHOpwq9%2Bj0lstNc9CyTDtaq1%2BcT2RiXQYl%2Bq3MlMUPcGkcV0%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91482d824d30c5ae-IADalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=7653&min_rtt=7249&rtt_var=3007&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2836&recv_bytes=1169&delivery_rate=402814&cwnd=32&unsent_bytes=0&cid=44296c7eddc1e4b5&ts=402&x=0"
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Wed, 19 Feb 2025 18:04:11 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=95yldnnMthCGSPsJ2RXrTs0ks8hwGHZP%2Box8M%2BKF6n%2FRojThmo3%2BHaSfuDEAJ61JbyQ9hXTE80RGOMowhZKB5fC%2B26BEPCTmj9iSzy%2FXjvPY5eg4nZ0dxvn0Bpd%2BbMKUsh7H"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91482d87e81a15a3-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1654&min_rtt=1654&rtt_var=827&sent=6&recv=7&lost=0&retrans=1&sent_bytes=4224&recv_bytes=1170&delivery_rate=153579&cwnd=129&unsent_bytes=0&cid=bf1bbee74603d975&ts=365&x=0"
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Wed, 19 Feb 2025 18:04:11 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=U46QcxLFacdPyA8HO18rwyQTnXh4GvLfNsLbfsn6Dswv44z54THPrz%2FOHPls02KQWIgLXYPNFr%2Fv6tagqaQeofLesYhbiyy0eakpvMUC%2FmXqq1cI72VNu2GkBkW%2Bfei4ReA%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91482d8d2d698250-IADalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=10705&min_rtt=7333&rtt_var=5158&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2837&recv_bytes=1169&delivery_rate=398199&cwnd=32&unsent_bytes=0&cid=5fc6d4a61ff5edf6&ts=411&x=0"
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Wed, 19 Feb 2025 18:04:12 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=SrL2%2BSQ3nevqAz6yqC9nKiqFJ2fLLCudgAM93AB7JE%2F2xqpOiRDYD%2B0jmSsVckOSRd%2BQHNkCut1JUjW20HjkrwTgZeVXs9O%2BQVmmK2GyOJQB4umn63Z5i0tdb4MaBeaN8G2O"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91482d934d7841f3-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1605&min_rtt=1596&rtt_var=616&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2842&recv_bytes=1170&delivery_rate=1749550&cwnd=225&unsent_bytes=0&cid=d5b48acfc620e8cb&ts=446&x=0"
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Wed, 19 Feb 2025 18:04:13 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=FtvEvf4j2rnozINAoJI9ME6HiigfdZwKHkmJipGS%2FTBzvsxBEOaFD8N2Uy8nKKZRk%2FKZebfTq3oEWH1pznAk4HhOlCQhHkvV7tS605mWJ0xGP2%2FL8Wco5GbMG%2BroxsMGWv8%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91482d989c718011-IADalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=8247&min_rtt=8239&rtt_var=3096&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2837&recv_bytes=1169&delivery_rate=354411&cwnd=32&unsent_bytes=0&cid=80103319b9279c21&ts=430&x=0"
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Wed, 19 Feb 2025 18:04:14 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=2Zj63eGoiElg1lLb705q2ycgxHl4pwsKC1oov02K%2BlrmuOzpsSygqgNlCKB%2Bbc6B3tuhpSI%2Fz5zeigPr3Yq32WQ1L3pLvKV51UovHNHIcneQ0xyuKD8qOFF4W6uFyed4cKiY"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91482d9edd8b41f3-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=35365&min_rtt=1592&rtt_var=20673&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2843&recv_bytes=1170&delivery_rate=1834170&cwnd=225&unsent_bytes=0&cid=dbe0832ed8943651&ts=267&x=0"
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Wed, 19 Feb 2025 18:04:15 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ULaEYexCSJXwYfjaZs%2FVZMgMaQkDTgYv2bhdwXDFZzQCNp4kv%2FjetlsjeXR0S8ENaGsXq8nPbkTHe22pvbXn4lne%2FFKG8FVyYHw5mmbC0cglBIfe8TIzKqDd0tFjqqQpidQ%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91482da39cb3820e-IADalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=7217&min_rtt=7188&rtt_var=2754&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2836&recv_bytes=1169&delivery_rate=393318&cwnd=32&unsent_bytes=0&cid=33c5c5a0636f23d5&ts=404&x=0"
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Wed, 19 Feb 2025 18:04:16 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=8MAQfIEIay5IiKJ9bSkU7V8S9SAWJH9ubDBPuiYkdKbNpcXvg0IXkJFz723BBDCyw2FpuV8Vvf1vfdf%2BjGMD53pG7IS801qioYoF%2F4y5s%2FHPNSLwqElDrusOkIbj3vXnwY8s"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91482da9da59440c-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1711&min_rtt=1706&rtt_var=650&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2843&recv_bytes=1170&delivery_rate=1671436&cwnd=252&unsent_bytes=0&cid=2700d263b1f795f5&ts=340&x=0"
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Wed, 19 Feb 2025 18:04:17 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=diIAAauMpdCFh1%2Fo17vMw6R%2BW%2B9IVdTkO4h6sAHY%2BDvh5BiR1Y2C8jAwE9xfcctJXpSChzLGsrKoaW7X%2BBpogLwawf7AtdJrcxjjbYpZtc7cDQkkf9n7CCfxNYwAYOsWYFk%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91482daf3d205b35-IADalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=7812&min_rtt=7808&rtt_var=2936&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2836&recv_bytes=1169&delivery_rate=372353&cwnd=32&unsent_bytes=0&cid=9c416ece81822364&ts=409&x=0"
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Wed, 19 Feb 2025 18:04:18 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Uou%2FRVfQ7ni%2BX37ad29wjJ8AYYDs4Fi9qhAAsOVyODeUG%2Byds7HLsLn6ZeR2ZaON%2F92dA6KRzhp1xRD%2BM6vU3dMGOXP3VdzzUsQb9iazXw%2F0vKHNzhIYIguH8fqap0McgN71"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91482db48a3215a3-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1657&min_rtt=1646&rtt_var=639&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2843&recv_bytes=1170&delivery_rate=1683967&cwnd=129&unsent_bytes=0&cid=aa19f8545c29ca41&ts=323&x=0"

Source: NVIDIA Notification.exe.1.dr	String found in binary or memory: http://aia.entrust.net/ts1-chain256.cer01
Source: NVIDIA Notification.exe, 00000004.00000003.2183681340.000002AD18E60000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://appmap.trafficmanager.net/api/v1/parse?url=
Source: MSIB6CB.tmp.1.dr, MSIB62D.tmp.1.dr, MSIB68C.tmp.1.dr, MSIB6EB.tmp.1.dr, MSIBA38.tmp.1.dr, MSI28B1.tmp.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: libcef.dll.1.dr, MSI28B1.tmp.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: explorer.exe, 00000006.00000000.2292351623.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3371568894.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3371568894.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2292351623.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: MSIB6CB.tmp.1.dr, MSIB62D.tmp.1.dr, MSIB68C.tmp.1.dr, MSIB6EB.tmp.1.dr, MSIBA38.tmp.1.dr, MSI28B1.tmp.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: NVIDIA Notification.exe.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: libcef.dll.1.dr, MSI28B1.tmp.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: libcef.dll.1.dr, NVIDIA Notification.exe.1.dr, MSI28B1.tmp.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: NVIDIA Notification.exe.1.dr	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: NVIDIA Notification.exe.1.dr	String found in binary or memory: http://crl.entrust.net/ts1ca.crl0
Source: libcef.dll.1.dr, MSI28B1.tmp.1.dr	String found in binary or memory: http://crl.globalsign.com/codesigningrootr45.crl0U
Source: libcef.dll.1.dr, MSI28B1.tmp.1.dr	String found in binary or memory: http://crl.globalsign.com/gsgccr45evcodesignca2020.crl0
Source: NVIDIA Notification.exe, 00000004.00000002.3364770115.000002AD1717A000.00000004.00000020.00020000.00000000.sdmp, NVIDIA Notification.exe, 00000004.00000003.2284837013.000002AD1717A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micros
Source: NVIDIA Notification.exe, 00000004.00000002.3364770115.000002AD1717A000.00000004.00000020.00020000.00000000.sdmp, NVIDIA Notification.exe, 00000004.00000003.2284837013.000002AD1717A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microsoft
Source: explorer.exe, 00000006.00000002.3363875611.0000000000F13000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2287637834.0000000000F13000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.v
Source: libcef.dll.1.dr, MSI28B1.tmp.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: MSIB6CB.tmp.1.dr, MSIB62D.tmp.1.dr, MSIB68C.tmp.1.dr, MSIB6EB.tmp.1.dr, MSIBA38.tmp.1.dr, MSI28B1.tmp.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: explorer.exe, 00000006.00000000.2292351623.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3371568894.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3371568894.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2292351623.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: NVIDIA Notification.exe.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: libcef.dll.1.dr, MSI28B1.tmp.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: libcef.dll.1.dr, NVIDIA Notification.exe.1.dr, MSI28B1.tmp.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: MSIB6CB.tmp.1.dr, MSIB62D.tmp.1.dr, MSIB68C.tmp.1.dr, MSIB6EB.tmp.1.dr, MSIBA38.tmp.1.dr, MSI28B1.tmp.1.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: MSIB6CB.tmp.1.dr, MSIB62D.tmp.1.dr, MSIB68C.tmp.1.dr, MSIB6EB.tmp.1.dr, MSIBA38.tmp.1.dr, MSI28B1.tmp.1.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: explorer.exe, 00000006.00000000.2292351623.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3371568894.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3371568894.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2292351623.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: NVIDIA Notification.exe.1.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: MSIB6CB.tmp.1.dr, MSIB62D.tmp.1.dr, MSIB68C.tmp.1.dr, MSIB6EB.tmp.1.dr, MSIBA38.tmp.1.dr, MSI28B1.tmp.1.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: 77EC63BDA74BD0D0E0426DC8F80085060.1.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: NVIDIA Notification.exe, 00000004.00000003.2160486051.000002AD18D10000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/enRootDirUrl2.5.29.28authroot.st
Source: explorer.exe, 00000006.00000000.2292351623.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3371568894.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3371568894.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2292351623.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, NVIDIA Notification.exe.1.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: libcef.dll.1.dr, NVIDIA Notification.exe.1.dr, MSI28B1.tmp.1.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: MSIB6CB.tmp.1.dr, MSIB62D.tmp.1.dr, libcef.dll.1.dr, MSIB68C.tmp.1.dr, MSIB6EB.tmp.1.dr, MSIBA38.tmp.1.dr, MSI28B1.tmp.1.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: MSIB6CB.tmp.1.dr, MSIB62D.tmp.1.dr, MSIB68C.tmp.1.dr, MSIB6EB.tmp.1.dr, MSIBA38.tmp.1.dr, MSI28B1.tmp.1.dr	String found in binary or memory: http://ocsp.digicert.com0O
Source: libcef.dll.1.dr, MSI28B1.tmp.1.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: explorer.exe, 00000006.00000000.2292351623.00000000099C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3371568894.00000000099C0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
Source: NVIDIA Notification.exe.1.dr	String found in binary or memory: http://ocsp.entrust.net02
Source: NVIDIA Notification.exe.1.dr	String found in binary or memory: http://ocsp.entrust.net03
Source: libcef.dll.1.dr, MSI28B1.tmp.1.dr	String found in binary or memory: http://ocsp.globalsign.com/codesigningrootr450F
Source: libcef.dll.1.dr, MSI28B1.tmp.1.dr	String found in binary or memory: http://ocsp.globalsign.com/gsgccr45evcodesignca20200U
Source: NVIDIA Notification.exe, 00000004.00000002.3364770115.000002AD1719B000.00000004.00000020.00020000.00000000.sdmp, NVIDIA Notification.exe, 00000004.00000002.3367444627.000002AD195B0000.00000004.00000020.00020000.00000000.sdmp, NVIDIA Notification.exe, 00000004.00000002.3364770115.000002AD17145000.00000004.00000020.00020000.00000000.sdmp, NVIDIA Notification.exe, 00000004.00000003.2284837013.000002AD1717A000.00000004.00000020.00020000.00000000.sdmp, NVIDIA Notification.exe, 00000004.00000003.2284821484.000002AD195B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://r10.i.lencr.org/0
Source: NVIDIA Notification.exe, 00000004.00000002.3364770115.000002AD1719B000.00000004.00000020.00020000.00000000.sdmp, NVIDIA Notification.exe, 00000004.00000002.3367444627.000002AD195B0000.00000004.00000020.00020000.00000000.sdmp, NVIDIA Notification.exe, 00000004.00000002.3364770115.000002AD17145000.00000004.00000020.00020000.00000000.sdmp, NVIDIA Notification.exe, 00000004.00000003.2284837013.000002AD1717A000.00000004.00000020.00020000.00000000.sdmp, NVIDIA Notification.exe, 00000004.00000003.2284821484.000002AD195B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://r10.o.lencr.org0#
Source: NVIDIA Notification.exe, 00000004.00000002.3367626962.000002AD1967C000.00000004.00000020.00020000.00000000.sdmp, NVIDIA Notification.exe, 00000004.00000002.3364770115.000002AD17107000.00000004.00000020.00020000.00000000.sdmp, NVIDIA Notification.exe, 00000004.00000002.3364770115.000002AD1717A000.00000004.00000020.00020000.00000000.sdmp, NVIDIA Notification.exe, 00000004.00000002.3367444627.000002AD195B0000.00000004.00000020.00020000.00000000.sdmp, NVIDIA Notification.exe, 00000004.00000003.2284837013.000002AD1717A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://r11.i.lencr.org/0
Source: NVIDIA Notification.exe, 00000004.00000002.3367626962.000002AD1967C000.00000004.00000020.00020000.00000000.sdmp, NVIDIA Notification.exe, 00000004.00000002.3364770115.000002AD17107000.00000004.00000020.00020000.00000000.sdmp, NVIDIA Notification.exe, 00000004.00000002.3364770115.000002AD1717A000.00000004.00000020.00020000.00000000.sdmp, NVIDIA Notification.exe, 00000004.00000002.3367444627.000002AD195B0000.00000004.00000020.00020000.00000000.sdmp, NVIDIA Notification.exe, 00000004.00000003.2284837013.000002AD1717A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://r11.o.lencr.org0#
Source: explorer.exe, 00000006.00000002.3370491807.0000000008870000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000002.3370537405.0000000008890000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000000.2290536350.0000000007DC0000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://schemas.micro
Source: C5C8CC0A7FE31816B4641D04654025600.1.dr	String found in binary or memory: http://secure.globalsign.com/cacert/codesigningrootr45.crt
Source: libcef.dll.1.dr, MSI28B1.tmp.1.dr	String found in binary or memory: http://secure.globalsign.com/cacert/codesigningrootr45.crt0A
Source: libcef.dll.1.dr, MSI28B1.tmp.1.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gsgccr45evcodesignca2020.crt0?
Source: MSIB6CB.tmp.1.dr, MSIB62D.tmp.1.dr, MSIB68C.tmp.1.dr, MSIB6EB.tmp.1.dr, MSIBA38.tmp.1.dr, MSI28B1.tmp.1.dr	String found in binary or memory: http://t1.symcb.com/ThawtePCA.crl0
Source: MSIB6CB.tmp.1.dr, MSIB62D.tmp.1.dr, MSIB68C.tmp.1.dr, MSIB6EB.tmp.1.dr, MSIBA38.tmp.1.dr, MSI28B1.tmp.1.dr	String found in binary or memory: http://t2.symcb.com0
Source: NVIDIA Notification.exe, 00000004.00000003.2183681340.000002AD18E60000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://test.com
Source: MSIB6CB.tmp.1.dr, MSIB62D.tmp.1.dr, MSIB68C.tmp.1.dr, MSIB6EB.tmp.1.dr, MSIBA38.tmp.1.dr, MSI28B1.tmp.1.dr	String found in binary or memory: http://tl.symcb.com/tl.crl0
Source: MSIB6CB.tmp.1.dr, MSIB62D.tmp.1.dr, MSIB68C.tmp.1.dr, MSIB6EB.tmp.1.dr, MSIBA38.tmp.1.dr, MSI28B1.tmp.1.dr	String found in binary or memory: http://tl.symcb.com/tl.crt0
Source: MSIB6CB.tmp.1.dr, MSIB62D.tmp.1.dr, MSIB68C.tmp.1.dr, MSIB6EB.tmp.1.dr, MSIBA38.tmp.1.dr, MSI28B1.tmp.1.dr	String found in binary or memory: http://tl.symcd.com0&
Source: MSIB6CB.tmp.1.dr, MSIB62D.tmp.1.dr, MSIB68C.tmp.1.dr, MSIB6EB.tmp.1.dr, MSIBA38.tmp.1.dr, NVIDIA Notification.exe.1.dr, MSI28B1.tmp.1.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: NVIDIA Notification.exe.1.dr	String found in binary or memory: http://www.entrust.net/rpa03
Source: NVIDIA Notification.exe, 00000004.00000002.3364770115.000002AD1717A000.00000004.00000020.00020000.00000000.sdmp, NVIDIA Notification.exe, 00000004.00000003.2284837013.000002AD1717A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.co
Source: NVIDIA Notification.exe, 00000004.00000002.3364770115.000002AD1719B000.00000004.00000020.00020000.00000000.sdmp, NVIDIA Notification.exe, 00000004.00000002.3367626962.000002AD1967C000.00000004.00000020.00020000.00000000.sdmp, NVIDIA Notification.exe, 00000004.00000002.3364770115.000002AD17107000.00000004.00000020.00020000.00000000.sdmp, NVIDIA Notification.exe, 00000004.00000002.3364770115.000002AD1717A000.00000004.00000020.00020000.00000000.sdmp, NVIDIA Notification.exe, 00000004.00000002.3367444627.000002AD195B0000.00000004.00000020.00020000.00000000.sdmp, NVIDIA Notification.exe, 00000004.00000002.3364770115.000002AD17145000.00000004.00000020.00020000.00000000.sdmp, NVIDIA Notification.exe, 00000004.00000003.2284837013.000002AD1717A000.00000004.00000020.00020000.00000000.sdmp, NVIDIA Notification.exe, 00000004.00000003.2284821484.000002AD195B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: NVIDIA Notification.exe, 00000004.00000002.3364770115.000002AD1719B000.00000004.00000020.00020000.00000000.sdmp, NVIDIA Notification.exe, 00000004.00000002.3367626962.000002AD1967C000.00000004.00000020.00020000.00000000.sdmp, NVIDIA Notification.exe, 00000004.00000002.3364770115.000002AD17107000.00000004.00000020.00020000.00000000.sdmp, NVIDIA Notification.exe, 00000004.00000002.3364770115.000002AD1717A000.00000004.00000020.00020000.00000000.sdmp, NVIDIA Notification.exe, 00000004.00000002.3367444627.000002AD195B0000.00000004.00000020.00020000.00000000.sdmp, NVIDIA Notification.exe, 00000004.00000002.3364770115.000002AD17145000.00000004.00000020.00020000.00000000.sdmp, NVIDIA Notification.exe, 00000004.00000003.2284837013.000002AD1717A000.00000004.00000020.00020000.00000000.sdmp, NVIDIA Notification.exe, 00000004.00000003.2284821484.000002AD195B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: NVIDIA Notification.exe, 00000004.00000003.2160486051.000002AD18D10000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://%s/%s/%sendcahttps://%s.pinrules.crt/%sRetrieveValidatestaple:OcspGetOcspPostOcspFailoverExp
Source: explorer.exe, 00000006.00000000.2295377209.000000000C4DC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3096376389.000000000C547000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3381041865.000000000C4DC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe
Source: explorer.exe, 00000006.00000002.3368085367.00000000076F8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2289597745.00000000076F8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOS
Source: explorer.exe, 00000006.00000000.2289597745.0000000007637000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3368085367.0000000007637000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: explorer.exe, 00000006.00000003.3096920537.00000000035FA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2288467195.00000000035FA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3366290986.00000000035FA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://arc.msn.coml
Source: NVIDIA Notification.exe, 00000004.00000002.3364770115.000002AD17145000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dimidroli.com/
Source: NVIDIA Notification.exe, 00000004.00000002.3364770115.000002AD1717A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dimidroli.com:7999/
Source: NVIDIA Notification.exe, 00000004.00000002.3367444627.000002AD195A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dimidroli.com:7999/YV
Source: NVIDIA Notification.exe, 00000004.00000003.2284837013.000002AD1714C000.00000004.00000020.00020000.00000000.sdmp, NVIDIA Notification.exe, 00000004.00000002.3364770115.000002AD17145000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dimidroli.com:7999/detoxik.php
Source: NVIDIA Notification.exe, 00000004.00000002.3367444627.000002AD195A0000.00000004.00000020.00020000.00000000.sdmp, NVIDIA Notification.exe, 00000004.00000002.3364770115.000002AD1717A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dimidroli.com:7999/oxik.php
Source: NVIDIA Notification.exe, 00000004.00000002.3364770115.000002AD17107000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dimidroli.com:7999/oxik.phpqy
Source: NVIDIA Notification.exe, 00000004.00000002.3364770115.000002AD1717A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dimidroli.com:7999/oxik.php~j
Source: NVIDIA Notification.exe, 00000004.00000002.3367444627.000002AD195A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://domskufidona.com/
Source: NVIDIA Notification.exe, 00000004.00000002.3367444627.000002AD195A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://domskufidona.com/%W7
Source: NVIDIA Notification.exe, 00000004.00000003.2284837013.000002AD1717A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://domskufidona.com:7999/
Source: NVIDIA Notification.exe, 00000004.00000002.3364770115.000002AD17107000.00000004.00000020.00020000.00000000.sdmp, NVIDIA Notification.exe, 00000004.00000003.2284837013.000002AD1714C000.00000004.00000020.00020000.00000000.sdmp, NVIDIA Notification.exe, 00000004.00000002.3364770115.000002AD17145000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://domskufidona.com:7999/detoxik.php
Source: NVIDIA Notification.exe, 00000004.00000002.3367444627.000002AD195A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://domskufidona.com:7999/detoxik.php-W
Source: NVIDIA Notification.exe, 00000004.00000002.3367444627.000002AD195A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://domskufidona.com:7999/detoxik.phpCT
Source: NVIDIA Notification.exe, 00000004.00000002.3367444627.000002AD195A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://domskufidona.com:7999/detoxik.phpaV
Source: NVIDIA Notification.exe, 00000004.00000002.3367444627.000002AD195A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://domskufidona.com:7999/detoxik.phpmV
Source: explorer.exe, 00000006.00000003.3097934264.0000000009C21000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3371568894.0000000009B96000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094549832.0000000009B96000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2292351623.0000000009B96000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://excel.office.com
Source: explorer.exe, 00000006.00000002.3385871043.000000000C9F9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3383830644.000000000C81C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3383830644.000000000C862000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://horetimodual.com/
Source: explorer.exe, 00000006.00000002.3385871043.000000000C9F9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://horetimodual.com/5163
Source: explorer.exe, 00000006.00000002.3385871043.000000000C9F9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://horetimodual.com/G
Source: explorer.exe, 00000006.00000002.3383830644.000000000C806000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3371568894.00000000099C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3383830644.000000000C862000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3385242431.000000000C954000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3386190217.000000000E54E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3371568894.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://horetimodual.com/test/
Source: explorer.exe, 00000006.00000002.3371568894.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://horetimodual.com/test/(
Source: explorer.exe, 00000006.00000002.3371568894.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://horetimodual.com/test/.dlle
Source: explorer.exe, 00000006.00000002.3371568894.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://horetimodual.com/test/5N
Source: explorer.exe, 00000006.00000002.3371568894.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://horetimodual.com/test/MenuArray_211928
Source: explorer.exe, 00000006.00000002.3371568894.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://horetimodual.com/test/dll
Source: explorer.exe, 00000006.00000002.3386190217.000000000E54E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://horetimodual.com/test/p
Source: explorer.exe, 00000006.00000002.3385871043.000000000C9F9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://horetimodual.com/w
Source: NVIDIA Notification.exe, 00000004.00000003.2187945112.000002AD19350000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://http:///WopiFrame.aspx?
Source: explorer.exe, 00000006.00000002.3371568894.0000000009C96000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3095864327.0000000009C92000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094549832.0000000009B96000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2292351623.0000000009B96000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://outlook.com
Source: explorer.exe, 00000006.00000000.2295377209.000000000C460000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3381041865.000000000C460000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://powerpoint.office.comcember
Source: wscript.exe, 00000000.00000003.2155667898.000001E5E4E41000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2059963773.000001E5E4F89000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2159095038.000001E5E4F2A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2059915765.000001E5E4F89000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2059739506.000001E5E4F7F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2059842625.000001E5E4F89000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2156325419.000001E5E4F29000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2059598394.000001E5E4F8D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2154834081.000001E5E559E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2059804702.000001E5E4F89000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://streameqst.live/calma.php
Source: wscript.exe, 00000000.00000003.2155996859.000001E5E4F26000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2155667898.000001E5E4E41000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2159020526.000001E5E4F27000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2157281400.000001E5E4F27000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://streameqst.live/calma.php%=
Source: ~DF8DC5CFD1594AA996.TMP.1.dr, ~DFA98222D31730BED6.TMP.1.dr, ~DFA825109037B3B642.TMP.1.dr, ~DF436A4AB611BAE051.TMP.1.dr, ~DF696240437B048E25.TMP.1.dr, inprogressinstallinfo.ipi.1.dr	String found in binary or memory: https://streameqst.live/calma.php0
Source: ~DF6E36B2C392B216EA.TMP.1.dr	String found in binary or memory: https://streameqst.live/calma.php2056014544311630860
Source: wscript.exe, 00000000.00000003.2155996859.000001E5E4F26000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2155667898.000001E5E4E41000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2159095038.000001E5E4F2A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2156325419.000001E5E4F29000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://streameqst.live/calma.phpE6qA
Source: wscript.exe, 00000000.00000003.2156426809.000001E5E3054000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2158668800.000001E5E305E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2157369304.000001E5E305D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2156104046.000001E5E304E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://streameqst.live/calma.phpined
Source: MSI28B1.tmp.1.dr	String found in binary or memory: https://streameqst.live/dort.phpAI_DOWNGRADE4010AI_DpiContentScaleDpiContentScaleAI_EnableDebugLogEn
Source: explorer.exe, 00000006.00000002.3385871043.000000000C9F9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3383830644.000000000C81C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3383830644.000000000C862000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://tynifinilam.com/
Source: explorer.exe, 00000006.00000002.3383830644.000000000C862000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://tynifinilam.com/122658-3693405117-2476756634-1003NT9
Source: explorer.exe, 00000006.00000002.3383830644.000000000C862000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://tynifinilam.com/Microsoft
Source: explorer.exe, 00000006.00000002.3385871043.000000000C9F9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://tynifinilam.com/S
Source: explorer.exe, 00000006.00000002.3383830644.000000000C81C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3383830644.000000000C862000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3385242431.000000000C954000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://tynifinilam.com/test/
Source: explorer.exe, 00000006.00000002.3383830644.000000000C81C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://tynifinilam.com/test/L7
Source: explorer.exe, 00000006.00000002.3385242431.000000000C954000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://tynifinilam.com/test/S
Source: explorer.exe, 00000006.00000002.3383830644.000000000C862000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://tynifinilam.com/test/eSP
Source: explorer.exe, 00000006.00000000.2292351623.00000000099C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3371568894.00000000099C0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://wns.windows.com/)s
Source: explorer.exe, 00000006.00000000.2292351623.00000000099C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3371568894.00000000099C0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://word.office.comon
Source: MSIB6CB.tmp.1.dr, MSIB62D.tmp.1.dr, MSIB68C.tmp.1.dr, MSIB6EB.tmp.1.dr, MSIBA38.tmp.1.dr, MSI28B1.tmp.1.dr	String found in binary or memory: https://www.advancedinstaller.com
Source: MSIB6CB.tmp.1.dr, MSIB62D.tmp.1.dr, MSIB68C.tmp.1.dr, MSIB6EB.tmp.1.dr, MSIBA38.tmp.1.dr, MSI28B1.tmp.1.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: NVIDIA Notification.exe.1.dr	String found in binary or memory: https://www.entrust.net/rpa0
Source: libcef.dll.1.dr, MSI28B1.tmp.1.dr	String found in binary or memory: https://www.globalsign.com/repository/0
Source: NVIDIA Notification.exe, 00000004.00000003.2183681340.000002AD18E60000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.modern.ie/Umbraco/Api/CompatIssueApi/PostCompatIssue
Source: NVIDIA Notification.exe, 00000004.00000003.2183681340.000002AD18E60000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.modern.ie/Umbraco/Api/CompatIssueApi/PostCompatIssue?version=2
Source: NVIDIA Notification.exe, 00000004.00000003.2183681340.000002AD18E60000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.modern.ie/umbraco/api/readingviewissues/postreadingviewissue
Source: NVIDIA Notification.exe, 00000004.00000003.2183681340.000002AD18E60000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.cn/spartan/ientp?locale%3D%25s%26market%3D%25s%26enableregulatorypsm%3D%25d%26enable
Source: NVIDIA Notification.exe, 00000004.00000003.2183681340.000002AD18E60000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/spartan/ientp?locale%3D%25s%26market%3D%25s%26enableregulatorypsm%3D%25d%26enabl
Source: MSIB6CB.tmp.1.dr, MSIB62D.tmp.1.dr, MSIB68C.tmp.1.dr, MSIB6EB.tmp.1.dr, MSIBA38.tmp.1.dr, MSI28B1.tmp.1.dr	String found in binary or memory: https://www.thawte.com/cps0/
Source: MSIB6CB.tmp.1.dr, MSIB62D.tmp.1.dr, MSIB68C.tmp.1.dr, MSIB6EB.tmp.1.dr, MSIBA38.tmp.1.dr, MSI28B1.tmp.1.dr	String found in binary or memory: https://www.thawte.com/repository0W
Source: NVIDIA Notification.exe.1.dr	String found in binary or memory: https://www.youtube.com/watch

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49986
Source: unknown	Network traffic detected: HTTP traffic on port 49997 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49985
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49984
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49983
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49982
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49981
Source: unknown	Network traffic detected: HTTP traffic on port 50007 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50010
Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50011
Source: unknown	Network traffic detected: HTTP traffic on port 49984 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49990 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49996 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50010 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50008 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49988 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49985 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50000 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50004 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49981 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49991 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49999 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49995 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50009 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50011 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49989 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50001 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49986 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49982 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50005 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49992 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49999
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49998
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49997
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50007
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49996
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50006
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49995
Source: unknown	Network traffic detected: HTTP traffic on port 49998 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50009
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49994
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50008
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49993
Source: unknown	Network traffic detected: HTTP traffic on port 49994 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49992
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49991
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49990
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50001
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50000
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50002
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50005
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50004
Source: unknown	Network traffic detected: HTTP traffic on port 50002 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49987 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49983 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50006 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 49993 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49989
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49988
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49987

Source: unknown	HTTPS traffic detected: 104.21.23.216:443 -> 192.168.2.5:49704 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.23.216:443 -> 192.168.2.5:49707 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49981 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.95.192:443 -> 192.168.2.5:49982 version: TLS 1.2

Source: C:\Users\user\AppData\Roaming\nvidia\NVIDIA Notification.exe

Code function: 4_2_00007FF8A747C53C SrcHashImpl::SrcHashImpl,CreateCompatibleDC,CreateCompatibleBitmap,FillRect,OpenClipboard,EmptyClipboard,CloseClipboard,SetClipboardData,CloseClipboard,

4_2_00007FF8A747C53C

Source: C:\Users\user\AppData\Roaming\nvidia\NVIDIA Notification.exe

Code function: 4_2_00007FF8A7446640 GetKeyboardState,GetKeyboardLayout,MapVirtualKeyW,ToUnicodeEx,LoadAcceleratorsW,LoadAcceleratorsW,

4_2_00007FF8A7446640

Source: NVIDIA Notification.exe, 00000004.00000003.2159080582.000002AD18E90000.00000004.00001000.00020000.00000000.sdmp

Binary or memory string: DirectInput8Create

memstr_d0248623-8

Source: NVIDIA Notification.exe, 00000004.00000003.2161163241.000002AD18D50000.00000004.00001000.00020000.00000000.sdmp

Binary or memory string: GetRawInputData

memstr_1febda52-b

Source: C:\Users\user\AppData\Roaming\nvidia\NVIDIA Notification.exe

Code function: 4_2_00007FF8A73F2804 GetKeyState,GetKeyState,GetKeyState,SendMessageW,

4_2_00007FF8A73F2804

Source: Yara match	File source: 4.3.NVIDIA Notification.exe.2ad18e90000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000003.2159080582.000002AD18E90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: NVIDIA Notification.exe PID: 5804, type: MEMORYSTR

System Summary

Malicious sample detected (through community Yara rule)

Source: 6.0.explorer.exe.8380000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detection based on the exports Author: Sekoia.io
Source: 4.3.NVIDIA Notification.exe.7ff42a290000.50.raw.unpack, type: UNPACKEDPE	Matched rule: detection based on the exports Author: Sekoia.io
Source: 6.0.explorer.exe.8380000.0.unpack, type: UNPACKEDPE	Matched rule: detection based on the exports Author: Sekoia.io
Source: 6.2.explorer.exe.8380000.0.unpack, type: UNPACKEDPE	Matched rule: detection based on the exports Author: Sekoia.io
Source: 4.3.NVIDIA Notification.exe.7ff42a290000.50.unpack, type: UNPACKEDPE	Matched rule: detection based on the exports Author: Sekoia.io
Source: 6.2.explorer.exe.8380000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detection based on the exports Author: Sekoia.io
Source: 00000004.00000003.2307209705.00007FF42A290000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detection based on the exports Author: Sekoia.io
Source: 00000006.00000000.2290915982.0000000008380000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: detection based on the exports Author: Sekoia.io
Source: 00000006.00000002.3370167751.0000000008380000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: detection based on the exports Author: Sekoia.io

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe

COM Object queried: Microsoft Windows Installer HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{000C1090-0000-0000-C000-000000000046}

Source: C:\Users\user\AppData\Roaming\nvidia\NVIDIA Notification.exe	Code function: 4_3_000002AD172AD271 NtAllocateVirtualMemory,	4_3_000002AD172AD271
Source: C:\Users\user\AppData\Roaming\nvidia\NVIDIA Notification.exe	Code function: 4_3_000002AD172AD2E1 NtProtectVirtualMemory,	4_3_000002AD172AD2E1
Source: C:\Windows\explorer.exe	Code function: 6_2_08388450 NtFreeVirtualMemory,	6_2_08388450
Source: C:\Windows\explorer.exe	Code function: 6_2_0838C8A0 NtDelayExecution,	6_2_0838C8A0
Source: C:\Windows\explorer.exe	Code function: 6_2_0838B524 NtAllocateVirtualMemory,	6_2_0838B524
Source: C:\Windows\explorer.exe	Code function: 6_2_08388254 RtlInitUnicodeString,NtCreateFile,	6_2_08388254
Source: C:\Windows\explorer.exe	Code function: 6_2_08390240 NtFreeVirtualMemory,	6_2_08390240
Source: C:\Windows\explorer.exe	Code function: 6_2_08388364 NtWriteFile,	6_2_08388364
Source: C:\Windows\explorer.exe	Code function: 6_2_083883DC NtClose,	6_2_083883DC

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI28B1.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIB62D.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIB68C.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIB6CB.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIB6EB.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIBA38.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\inprogressinstallinfo.ipi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIBA97.tmp	Jump to behavior

Source: C:\Users\user\AppData\Roaming\nvidia\NVIDIA Notification.exe	Code function: 4_2_00007FF6079F5788	4_2_00007FF6079F5788
Source: C:\Users\user\AppData\Roaming\nvidia\NVIDIA Notification.exe	Code function: 4_2_00007FF60784E710	4_2_00007FF60784E710
Source: C:\Users\user\AppData\Roaming\nvidia\NVIDIA Notification.exe	Code function: 4_2_00007FF607854510	4_2_00007FF607854510
Source: C:\Users\user\AppData\Roaming\nvidia\NVIDIA Notification.exe	Code function: 4_2_00007FF60785C4FA	4_2_00007FF60785C4FA
Source: C:\Users\user\AppData\Roaming\nvidia\NVIDIA Notification.exe	Code function: 4_2_00007FF6078AF450	4_2_00007FF6078AF450
Source: C:\Users\user\AppData\Roaming\nvidia\NVIDIA Notification.exe	Code function: 4_2_00007FF607A0543C	4_2_00007FF607A0543C
Source: C:\Users\user\AppData\Roaming\nvidia\NVIDIA Notification.exe	Code function: 4_2_00007FF607976088	4_2_00007FF607976088
Source: C:\Users\user\AppData\Roaming\nvidia\NVIDIA Notification.exe	Code function: 4_2_00007FF6079E4DA0	4_2_00007FF6079E4DA0
Source: C:\Users\user\AppData\Roaming\nvidia\NVIDIA Notification.exe	Code function: 4_2_00007FF607850C52	4_2_00007FF607850C52
Source: C:\Users\user\AppData\Roaming\nvidia\NVIDIA Notification.exe	Code function: 4_2_00007FF60787ACA0	4_2_00007FF60787ACA0
Source: C:\Users\user\AppData\Roaming\nvidia\NVIDIA Notification.exe	Code function: 4_2_00007FF6078C5BD0	4_2_00007FF6078C5BD0
Source: C:\Users\user\AppData\Roaming\nvidia\NVIDIA Notification.exe	Code function: 4_2_00007FF60785EAD1	4_2_00007FF60785EAD1
Source: C:\Users\user\AppData\Roaming\nvidia\NVIDIA Notification.exe	Code function: 4_2_00007FF8A740C364	4_2_00007FF8A740C364
Source: C:\Users\user\AppData\Roaming\nvidia\NVIDIA Notification.exe	Code function: 4_2_00007FF8A73E4C80	4_2_00007FF8A73E4C80
Source: C:\Users\user\AppData\Roaming\nvidia\NVIDIA Notification.exe	Code function: 4_2_00007FF8A747E864	4_2_00007FF8A747E864
Source: C:\Users\user\AppData\Roaming\nvidia\NVIDIA Notification.exe	Code function: 4_2_00007FF8A74328BC	4_2_00007FF8A74328BC
Source: C:\Users\user\AppData\Roaming\nvidia\NVIDIA Notification.exe	Code function: 4_2_00007FF8A74158EC	4_2_00007FF8A74158EC
Source: C:\Users\user\AppData\Roaming\nvidia\NVIDIA Notification.exe	Code function: 4_2_00007FF8A74058A0	4_2_00007FF8A74058A0
Source: C:\Users\user\AppData\Roaming\nvidia\NVIDIA Notification.exe	Code function: 4_2_00007FF8A7581740	4_2_00007FF8A7581740
Source: C:\Users\user\AppData\Roaming\nvidia\NVIDIA Notification.exe	Code function: 4_2_00007FF8A7423720	4_2_00007FF8A7423720
Source: C:\Users\user\AppData\Roaming\nvidia\NVIDIA Notification.exe	Code function: 4_2_00007FF8A741B674	4_2_00007FF8A741B674
Source: C:\Users\user\AppData\Roaming\nvidia\NVIDIA Notification.exe	Code function: 4_2_00007FF8A73E6670	4_2_00007FF8A73E6670
Source: C:\Users\user\AppData\Roaming\nvidia\NVIDIA Notification.exe	Code function: 4_2_00007FF8A7425610	4_2_00007FF8A7425610
Source: C:\Users\user\AppData\Roaming\nvidia\NVIDIA Notification.exe	Code function: 4_2_00007FF8A74046E4	4_2_00007FF8A74046E4
Source: C:\Users\user\AppData\Roaming\nvidia\NVIDIA Notification.exe	Code function: 4_2_00007FF8A74646F4	4_2_00007FF8A74646F4
Source: C:\Users\user\AppData\Roaming\nvidia\NVIDIA Notification.exe	Code function: 4_2_00007FF8A7437680	4_2_00007FF8A7437680
Source: C:\Users\user\AppData\Roaming\nvidia\NVIDIA Notification.exe	Code function: 4_2_00007FF8A73EB6A0	4_2_00007FF8A73EB6A0
Source: C:\Users\user\AppData\Roaming\nvidia\NVIDIA Notification.exe	Code function: 4_2_00007FF8A747C53C	4_2_00007FF8A747C53C
Source: C:\Users\user\AppData\Roaming\nvidia\NVIDIA Notification.exe	Code function: 4_2_00007FF8A7587570	4_2_00007FF8A7587570
Source: C:\Users\user\AppData\Roaming\nvidia\NVIDIA Notification.exe	Code function: 4_2_00007FF8A758B514	4_2_00007FF8A758B514
Source: C:\Users\user\AppData\Roaming\nvidia\NVIDIA Notification.exe	Code function: 4_2_00007FF8A73FA5B4	4_2_00007FF8A73FA5B4
Source: C:\Users\user\AppData\Roaming\nvidia\NVIDIA Notification.exe	Code function: 4_2_00007FF8A73F446C	4_2_00007FF8A73F446C
Source: C:\Users\user\AppData\Roaming\nvidia\NVIDIA Notification.exe	Code function: 4_2_00007FF8A7419434	4_2_00007FF8A7419434
Source: C:\Users\user\AppData\Roaming\nvidia\NVIDIA Notification.exe	Code function: 4_2_00007FF8A74244E4	4_2_00007FF8A74244E4
Source: C:\Users\user\AppData\Roaming\nvidia\NVIDIA Notification.exe	Code function: 4_2_00007FF8A7466498	4_2_00007FF8A7466498
Source: C:\Users\user\AppData\Roaming\nvidia\NVIDIA Notification.exe	Code function: 4_2_00007FF8A7577364	4_2_00007FF8A7577364
Source: C:\Users\user\AppData\Roaming\nvidia\NVIDIA Notification.exe	Code function: 4_2_00007FF8A7582330	4_2_00007FF8A7582330
Source: C:\Users\user\AppData\Roaming\nvidia\NVIDIA Notification.exe	Code function: 4_2_00007FF8A73E6390	4_2_00007FF8A73E6390
Source: C:\Users\user\AppData\Roaming\nvidia\NVIDIA Notification.exe	Code function: 4_2_00007FF8A74BD3AC	4_2_00007FF8A74BD3AC
Source: C:\Users\user\AppData\Roaming\nvidia\NVIDIA Notification.exe	Code function: 4_2_00007FF8A7413264	4_2_00007FF8A7413264
Source: C:\Users\user\AppData\Roaming\nvidia\NVIDIA Notification.exe	Code function: 4_2_00007FF8A7429230	4_2_00007FF8A7429230
Source: C:\Users\user\AppData\Roaming\nvidia\NVIDIA Notification.exe	Code function: 4_2_00007FF8A74262D4	4_2_00007FF8A74262D4
Source: C:\Users\user\AppData\Roaming\nvidia\NVIDIA Notification.exe	Code function: 4_2_00007FF8A73E82F0	4_2_00007FF8A73E82F0
Source: C:\Users\user\AppData\Roaming\nvidia\NVIDIA Notification.exe	Code function: 4_2_00007FF8A7405284	4_2_00007FF8A7405284
Source: C:\Users\user\AppData\Roaming\nvidia\NVIDIA Notification.exe	Code function: 4_2_00007FF8A73E6140	4_2_00007FF8A73E6140
Source: C:\Users\user\AppData\Roaming\nvidia\NVIDIA Notification.exe	Code function: 4_2_00007FF8A73FA15C	4_2_00007FF8A73FA15C
Source: C:\Users\user\AppData\Roaming\nvidia\NVIDIA Notification.exe	Code function: 4_2_00007FF8A749B114	4_2_00007FF8A749B114
Source: C:\Users\user\AppData\Roaming\nvidia\NVIDIA Notification.exe	Code function: 4_2_00007FF8A741812C	4_2_00007FF8A741812C
Source: C:\Users\user\AppData\Roaming\nvidia\NVIDIA Notification.exe	Code function: 4_2_00007FF8A74C0118	4_2_00007FF8A74C0118
Source: C:\Users\user\AppData\Roaming\nvidia\NVIDIA Notification.exe	Code function: 4_2_00007FF8A74121E8	4_2_00007FF8A74121E8
Source: C:\Users\user\AppData\Roaming\nvidia\NVIDIA Notification.exe	Code function: 4_2_00007FF8A73ED048	4_2_00007FF8A73ED048
Source: C:\Users\user\AppData\Roaming\nvidia\NVIDIA Notification.exe	Code function: 4_2_00007FF8A741C06C	4_2_00007FF8A741C06C
Source: C:\Users\user\AppData\Roaming\nvidia\NVIDIA Notification.exe	Code function: 4_2_00007FF8A742D060	4_2_00007FF8A742D060
Source: C:\Users\user\AppData\Roaming\nvidia\NVIDIA Notification.exe	Code function: 4_2_00007FF8A73E30C0	4_2_00007FF8A73E30C0
Source: C:\Users\user\AppData\Roaming\nvidia\NVIDIA Notification.exe	Code function: 4_2_00007FF8A73E8B50	4_2_00007FF8A73E8B50
Source: C:\Users\user\AppData\Roaming\nvidia\NVIDIA Notification.exe	Code function: 4_2_00007FF8A7427F70	4_2_00007FF8A7427F70
Source: C:\Users\user\AppData\Roaming\nvidia\NVIDIA Notification.exe	Code function: 4_2_00007FF8A744BFCC	4_2_00007FF8A744BFCC
Source: C:\Users\user\AppData\Roaming\nvidia\NVIDIA Notification.exe	Code function: 4_2_00007FF8A7461FC4	4_2_00007FF8A7461FC4
Source: C:\Users\user\AppData\Roaming\nvidia\NVIDIA Notification.exe	Code function: 4_2_00007FF8A747EE20	4_2_00007FF8A747EE20
Source: C:\Users\user\AppData\Roaming\nvidia\NVIDIA Notification.exe	Code function: 4_2_00007FF8A7422D50	4_2_00007FF8A7422D50
Source: C:\Users\user\AppData\Roaming\nvidia\NVIDIA Notification.exe	Code function: 4_2_00007FF8A74A6D10	4_2_00007FF8A74A6D10
Source: C:\Users\user\AppData\Roaming\nvidia\NVIDIA Notification.exe	Code function: 4_2_00007FF8A7423D00	4_2_00007FF8A7423D00
Source: C:\Users\user\AppData\Roaming\nvidia\NVIDIA Notification.exe	Code function: 4_2_00007FF8A73EADD0	4_2_00007FF8A73EADD0
Source: C:\Users\user\AppData\Roaming\nvidia\NVIDIA Notification.exe	Code function: 4_2_00007FF8A7420C6C	4_2_00007FF8A7420C6C
Source: C:\Users\user\AppData\Roaming\nvidia\NVIDIA Notification.exe	Code function: 4_2_00007FF8A7429BF8	4_2_00007FF8A7429BF8
Source: C:\Users\user\AppData\Roaming\nvidia\NVIDIA Notification.exe	Code function: 4_2_00007FF8A7587B5C	4_2_00007FF8A7587B5C
Source: C:\Users\user\AppData\Roaming\nvidia\NVIDIA Notification.exe	Code function: 4_2_00007FF8A74BEB44	4_2_00007FF8A74BEB44
Source: C:\Users\user\AppData\Roaming\nvidia\NVIDIA Notification.exe	Code function: 4_2_00007FF8A73EBB00	4_2_00007FF8A73EBB00
Source: C:\Users\user\AppData\Roaming\nvidia\NVIDIA Notification.exe	Code function: 4_2_00007FF8A746FBF4	4_2_00007FF8A746FBF4
Source: C:\Users\user\AppData\Roaming\nvidia\NVIDIA Notification.exe	Code function: 4_2_00007FF8A7411B9C	4_2_00007FF8A7411B9C
Source: C:\Users\user\AppData\Roaming\nvidia\NVIDIA Notification.exe	Code function: 4_2_00007FF8A7578A44	4_2_00007FF8A7578A44
Source: C:\Users\user\AppData\Roaming\nvidia\NVIDIA Notification.exe	Code function: 4_2_00007FF8A73EDA74	4_2_00007FF8A73EDA74
Source: C:\Users\user\AppData\Roaming\nvidia\NVIDIA Notification.exe	Code function: 4_2_00007FF8A74DDADC	4_2_00007FF8A74DDADC
Source: C:\Users\user\AppData\Roaming\nvidia\NVIDIA Notification.exe	Code function: 4_2_00007FF8A741F9B4	4_2_00007FF8A741F9B4
Source: C:\Users\user\AppData\Roaming\nvidia\NVIDIA Notification.exe	Code function: 4_2_00000003A648EFF0	4_2_00000003A648EFF0
Source: C:\Users\user\AppData\Roaming\nvidia\NVIDIA Notification.exe	Code function: 4_2_00000003A648E0A1	4_2_00000003A648E0A1
Source: C:\Windows\explorer.exe	Code function: 6_2_08381A7C	6_2_08381A7C
Source: C:\Windows\explorer.exe	Code function: 6_2_08381A8C	6_2_08381A8C
Source: C:\Windows\explorer.exe	Code function: 6_2_08382164	6_2_08382164

Source: C:\Users\user\AppData\Roaming\nvidia\NVIDIA Notification.exe	Code function: String function: 00007FF607853B20 appears 99 times
Source: C:\Users\user\AppData\Roaming\nvidia\NVIDIA Notification.exe	Code function: String function: 00007FF6078425C0 appears 58 times
Source: C:\Users\user\AppData\Roaming\nvidia\NVIDIA Notification.exe	Code function: String function: 00007FF6079064E0 appears 37 times
Source: C:\Users\user\AppData\Roaming\nvidia\NVIDIA Notification.exe	Code function: String function: 00007FF607845020 appears 48 times
Source: C:\Users\user\AppData\Roaming\nvidia\NVIDIA Notification.exe	Code function: String function: 00007FF8A73E58C0 appears 35 times

Source: 6.0.explorer.exe.8380000.0.raw.unpack, type: UNPACKEDPE	Matched rule: latrodectus_exports author = Sekoia.io, description = detection based on the exports, creation_date = 2024-07-03, classification = TLP:CLEAR, version = 1.0, id = 29076cf5-f391-42f2-918f-e1c929bd368d
Source: 4.3.NVIDIA Notification.exe.7ff42a290000.50.raw.unpack, type: UNPACKEDPE	Matched rule: latrodectus_exports author = Sekoia.io, description = detection based on the exports, creation_date = 2024-07-03, classification = TLP:CLEAR, version = 1.0, id = 29076cf5-f391-42f2-918f-e1c929bd368d
Source: 6.0.explorer.exe.8380000.0.unpack, type: UNPACKEDPE	Matched rule: latrodectus_exports author = Sekoia.io, description = detection based on the exports, creation_date = 2024-07-03, classification = TLP:CLEAR, version = 1.0, id = 29076cf5-f391-42f2-918f-e1c929bd368d
Source: 6.2.explorer.exe.8380000.0.unpack, type: UNPACKEDPE	Matched rule: latrodectus_exports author = Sekoia.io, description = detection based on the exports, creation_date = 2024-07-03, classification = TLP:CLEAR, version = 1.0, id = 29076cf5-f391-42f2-918f-e1c929bd368d
Source: 4.3.NVIDIA Notification.exe.7ff42a290000.50.unpack, type: UNPACKEDPE	Matched rule: latrodectus_exports author = Sekoia.io, description = detection based on the exports, creation_date = 2024-07-03, classification = TLP:CLEAR, version = 1.0, id = 29076cf5-f391-42f2-918f-e1c929bd368d
Source: 6.2.explorer.exe.8380000.0.raw.unpack, type: UNPACKEDPE	Matched rule: latrodectus_exports author = Sekoia.io, description = detection based on the exports, creation_date = 2024-07-03, classification = TLP:CLEAR, version = 1.0, id = 29076cf5-f391-42f2-918f-e1c929bd368d
Source: 00000004.00000003.2307209705.00007FF42A290000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: latrodectus_exports author = Sekoia.io, description = detection based on the exports, creation_date = 2024-07-03, classification = TLP:CLEAR, version = 1.0, id = 29076cf5-f391-42f2-918f-e1c929bd368d
Source: 00000006.00000000.2290915982.0000000008380000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: latrodectus_exports author = Sekoia.io, description = detection based on the exports, creation_date = 2024-07-03, classification = TLP:CLEAR, version = 1.0, id = 29076cf5-f391-42f2-918f-e1c929bd368d
Source: 00000006.00000002.3370167751.0000000008380000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: latrodectus_exports author = Sekoia.io, description = detection based on the exports, creation_date = 2024-07-03, classification = TLP:CLEAR, version = 1.0, id = 29076cf5-f391-42f2-918f-e1c929bd368d

Source: NVIDIA Notification.exe, 00000004.00000003.2159538014.000002AD18BB0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: kernelbase.dllRaiseFailFastException_p0hntdll.dllRtlDllShutdownInProgressLocal\SM0:%d:%d:%hs.*......./UseSystemForSystemFoldersSoftware\Microsoft\Windows\CurrentVersion\Explorerdesktop.ini%APPDATA%%USERPROFILE%%ALLUSERSPROFILE%%ProgramFiles(x86)%%ProgramFiles%%SystemRoot%%SystemDrive%\\%COMPUTERNAME%...\...PATH.exe.lnk.cmd.bat.com.pifCutListSoftware\Microsoft\Windows\CurrentVersion\Explorer\FileAssociation\VarFileInfo\Translation\StringFileInfo\%04X%04X\FileDescription\StringFileInfo\040904E4\FileDescription\StringFileInfo\04090000\FileDescriptionProgram ManagerpszDesktopTitleW%%%s%%%sUSERPROFILEProgramFilesSystemRootSystemDrivewindir"%1"commandshellSoftware\classesDefaultIconshell\%sAssignmentType0Software\Classes\Applications\%sSoftware\Classes\Applications%1.ade.adp.app.asp.cer.chm.cnt.crt.csh.der.fxp.gadget.grp.hlp.hpj.img.inf.ins.iso.isp.its.js.jse.ksh.mad.maf.mag.mam.maq.mar.mas.mat.mau.mav.maw.mcf.mda.mdb.mde.mdt.mdw.mdz.msc.msh.msh1.msh1xml.msh2.msh2xml.mshxml.msp.mst.msu.ops.pcd.pl.plg.prf.prg.printerexport.ps1.ps1xml.ps2.ps2xml.psc1.psc2.psd1.psm1.pst.scf.sct.shb.shs.theme.tmp.url.vbe.vbp.vbs.vhd.vhdx.vsmacros.vsw.webpnp.ws.wsc.wsf.wsh.xnkHKCU:HKLM:HKCR:%s\shell\%s\commandshell\%s\commandSoftware\Clients\%sSoftware\Clients\%s\%sOpen......./%SystemDrive%\\%COMPUTERNAME%...\...%s\%sCutListSoftware\Microsoft\Windows\CurrentVersion\Explorer\FileAssociation\VarFileInfo\Translation\StringFileInfo\%04X%04X\FileDescription\StringFileInfo\040904B0\FileDescription\StringFileInfo\040904E4\FileDescription\StringFileInfo\04090000\FileDescriptionT
Source: NVIDIA Notification.exe, 00000004.00000003.2183681340.000002AD18E60000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: ori.nznet.nzorg.nzparliament.nzschool.nzco.omcom.omedu.omgov.ommed.ommuseum.omnet.omorg.ompro.omac.pagob.pacom.paorg.pasld.paedu.panet.paing.paabo.pamed.panom.paedu.pegob.penom.pemil.peorg.pecom.penet.pecom.pforg.pfedu.pfcom.phnet.phorg.phgov.phedu.phngo.phmil.phi.phcom.pknet.pkedu.pkorg.pkfam.pkbiz.pkweb.pkgov.pkgob.pkgok.pkgon.pkgop.pkgos.pkinfo.pkcom.plnet.plorg.plaid.plagro.platm.plauto.plbiz.pledu.plgmina.plgsm.plinfo.plmail.plmiasta.plmedia.plmil.plnieruchomosci.plnom.plpc.plpowiat.plpriv.plrealestate.plrel.plsex.plshop.plsklep.plsos.plszkola.pltargi.pltm.pltourism.pltravel.plturystyka.plgov.plap.gov.plic.gov.plis.gov.plus.gov.plkmpsp.gov.plkppsp.gov.plkwpsp.gov.plpsp.gov.plwskr.gov.plkwp.gov.plmw.gov.plug.gov.plum.gov.plumig.gov.plugim.gov.plupow.gov.pluw.gov.plstarostwo.gov.plpa.gov.plpo.gov.plpsse.gov.plpup.gov.plrzgw.gov.plsa.gov.plso.gov.plsr.gov.plwsa.gov.plsko.gov.pluzs.gov.plwiih.gov.plwinb.gov.plpinb.gov.plwios.gov.plwitd.gov.plwzmiuw.gov.plpiw.gov.plwiw.gov.plgriw.gov.plwif.gov.ploum.gov.plsdn.gov.plzp.gov.pluppo.gov.plmup.gov.plwuoz.gov.plkonsulat.gov.ploirm.gov.plaugustow.plbabia-gora.plbedzin.plbeskidy.plbialowieza.plbialystok.plbielawa.plbieszczady.plboleslawiec.plbydgoszcz.plbytom.plcieszyn.plczeladz.plczest.pldlugoleka.plelblag.plelk.plglogow.plgniezno.plgorlice.plgrajewo.plilawa.pljaworzno.pljelenia-gora.pljgora.plkalisz.plkazimierz-dolny.plkarpacz.plkartuzy.plkaszuby.plkatowice.plkepno.plketrzyn.plklodzko.plkobierzyce.plkolobrzeg.plkonin.plkonskowola.plkutno.pllapy.pllebork.pllegnica.pllezajsk.pllimanowa.pllomza.pllowicz.pllubin.pllukow.plmalbork.plmalopolska.plmazowsze.plmazury.plmielec.plmielno.plmragowo.plnaklo.plnowaruda.plnysa.plolawa.plolecko.plolkusz.plolsztyn.plopoczno.plopole.plostroda.plostroleka.plostrowiec.plostrowwlkp.plpila.plpisz.plpodhale.plpodlasie.plpolkowice.plpomorze.plpomorskie.plprochowice.plpruszkow.plprzeworsk.plpulawy.plradom.plrawa-maz.plrybnik.plrzeszow.plsanok.plsejny.plslask.plslupsk.plsosnowiec.plstalowa-wola.plskoczow.plstarachowice.plstargard.plsuwalki.plswidnica.plswiebodzin.plswinoujscie.plszczecin.plszczytno.pltarnobrzeg.pltgory.plturek.pltychy.plustka.plwalbrzych.plwarmia.plwarszawa.plwaw.plwegrow.plwielun.plwlocl.plwloclawek.plwodzislaw.plwolomin.plwroclaw.plzachpomor.plzagan.plzarow.plzgora.plzgorzelec.plgov.pnco.pnorg.pnedu.pnnet.pncom.prnet.prorg.prgov.predu.prisla.prpro.prbiz.prinfo.prname.prest.prprof.prac.praaa.proaca.proacct.proavocat.probar.procpa.proeng.projur.prolaw.promed.prorecht.proedu.psgov.pssec.psplo.pscom.psorg.psnet.psnet.ptgov.ptorg.ptedu.ptint.ptpubl.ptcom.ptnome.ptco.pwne.pwor.pwed.pwgo.pwbelau.pwcom.pycoop.pyedu.pygov.pymil.pynet.pyorg.pycom.qaedu.qagov.qamil.qaname.qanet.qaorg.qasch.qaasso.recom.renom.rearts.rocom.rofirm.roinfo.ronom.ront.roorg.rorec.rostore.rotm.rowww.roac.rsco.rsedu.rsgov.rsin.rsorg.rsac.ruedu.rugov.ruint.rumil.rutest.rugov.rwnet.rwedu.rwac.rwcom.rwco.rwint.rwmil.rwgouv.rwcom.sanet.saorg.sagov.samed.sapub.saedu.sasch.sacom.sbedu.sbgov.sbnet.sbor

Source: unknown	Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Doc171836.js"
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 7439225C7269580DA474D5762FBBF668
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Users\user\AppData\Roaming\nvidia\NVIDIA Notification.exe "C:\Users\user\AppData\Roaming\nvidia\NVIDIA Notification.exe"
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 7439225C7269580DA474D5762FBBF668	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Users\user\AppData\Roaming\nvidia\NVIDIA Notification.exe "C:\Users\user\AppData\Roaming\nvidia\NVIDIA Notification.exe"	Jump to behavior

Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: jscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptnet.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nvidia\NVIDIA Notification.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nvidia\NVIDIA Notification.exe	Section loaded: libcef.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nvidia\NVIDIA Notification.exe	Section loaded: wlanapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nvidia\NVIDIA Notification.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nvidia\NVIDIA Notification.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nvidia\NVIDIA Notification.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nvidia\NVIDIA Notification.exe	Section loaded: cryptui.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nvidia\NVIDIA Notification.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nvidia\NVIDIA Notification.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nvidia\NVIDIA Notification.exe	Section loaded: d3d9.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nvidia\NVIDIA Notification.exe	Section loaded: d3dcompiler_47.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nvidia\NVIDIA Notification.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nvidia\NVIDIA Notification.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nvidia\NVIDIA Notification.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nvidia\NVIDIA Notification.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nvidia\NVIDIA Notification.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nvidia\NVIDIA Notification.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nvidia\NVIDIA Notification.exe	Section loaded: oledlg.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nvidia\NVIDIA Notification.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nvidia\NVIDIA Notification.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nvidia\NVIDIA Notification.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nvidia\NVIDIA Notification.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nvidia\NVIDIA Notification.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nvidia\NVIDIA Notification.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nvidia\NVIDIA Notification.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nvidia\NVIDIA Notification.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nvidia\NVIDIA Notification.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nvidia\NVIDIA Notification.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nvidia\NVIDIA Notification.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nvidia\NVIDIA Notification.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nvidia\NVIDIA Notification.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nvidia\NVIDIA Notification.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nvidia\NVIDIA Notification.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nvidia\NVIDIA Notification.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nvidia\NVIDIA Notification.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nvidia\NVIDIA Notification.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nvidia\NVIDIA Notification.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nvidia\NVIDIA Notification.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nvidia\NVIDIA Notification.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nvidia\NVIDIA Notification.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nvidia\NVIDIA Notification.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nvidia\NVIDIA Notification.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nvidia\NVIDIA Notification.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nvidia\NVIDIA Notification.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nvidia\NVIDIA Notification.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.cloudstore.schema.shell.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dsrole.dll	Jump to behavior

Source: Doc171836.js	String : entropy: 5.26, length: 9377, content: "{\"bitmask_subpixel_annealing14\":456.46,\"knapsack_bottleneck_polymorphism75\":638.21,\"akka_truff	Go to definition
Source: Doc171836.js	String : entropy: 5.26, length: 9377, content: "{\"bitmask_subpixel_annealing14\":456.46,\"knapsack_bottleneck_polymorphism75\":638.21,\"akka_truff	Go to definition
Source: Doc171836.js	String : entropy: 5.26, length: 9377, content: "{\"bitmask_subpixel_annealing14\":456.46,\"knapsack_bottleneck_polymorphism75\":638.21,\"akka_truff	Go to definition
Source: Doc171836.js	String : entropy: 5.26, length: 9377, content: "{\"bitmask_subpixel_annealing14\":456.46,\"knapsack_bottleneck_polymorphism75\":638.21,\"akka_truff	Go to definition
Source: Doc171836.js	String : entropy: 5.28, length: 25390, content: "{\"boundedcontext_ringbuffer37\":{\"springboot_kappaarchitecture_monad10\":\"7eab1d92-3ee0-4123-9a8	Go to definition
Source: Doc171836.js	String : entropy: 5.28, length: 25390, content: "{\"boundedcontext_ringbuffer37\":{\"springboot_kappaarchitecture_monad10\":\"7eab1d92-3ee0-4123-9a8	Go to definition
Source: Doc171836.js	String : entropy: 5.28, length: 25390, content: "{\"boundedcontext_ringbuffer37\":{\"springboot_kappaarchitecture_monad10\":\"7eab1d92-3ee0-4123-9a8	Go to definition
Source: Doc171836.js	String : entropy: 5.26, length: 25676, content: "[191,2923.53,[5380,\"monad\",{\"truffle_rust_lazyinitialization43\":{\"microkernel41\":{\"codecover	Go to definition
Source: Doc171836.js	String : entropy: 5.26, length: 25676, content: "[191,2923.53,[5380,\"monad\",{\"truffle_rust_lazyinitialization43\":{\"microkernel41\":{\"codecover	Go to definition
Source: Doc171836.js	String : entropy: 5.26, length: 25676, content: "[191,2923.53,[5380,\"monad\",{\"truffle_rust_lazyinitialization43\":{\"microkernel41\":{\"codecover	Go to definition
Source: Doc171836.js	String : entropy: 5.3, length: 13205, content: "{\"graphdb_cassandra_sandbox34\":{\"labelling38\":{\"drivermanagement_twophaselock74\":[[\"3d448335	Go to definition
Source: Doc171836.js	String : entropy: 5.3, length: 13205, content: "{\"graphdb_cassandra_sandbox34\":{\"labelling38\":{\"drivermanagement_twophaselock74\":[[\"3d448335	Go to definition
Source: Doc171836.js	String : entropy: 5.28, length: 24485, content: "{\"symfony_nuxt96\":{\"tailcall_springboot_opsgenie38\":949.62,\"hotfix97\":[7322,[[\"m5]UAQv:i\",3	Go to definition
Source: Doc171836.js	String : entropy: 5.28, length: 24485, content: "{\"symfony_nuxt96\":{\"tailcall_springboot_opsgenie38\":949.62,\"hotfix97\":[7322,[[\"m5]UAQv:i\",3	Go to definition
Source: Doc171836.js	String : entropy: 5.28, length: 24485, content: "{\"symfony_nuxt96\":{\"tailcall_springboot_opsgenie38\":949.62,\"hotfix97\":[7322,[[\"m5]UAQv:i\",3	Go to definition
Source: Doc171836.js	String : entropy: 5.28, length: 24485, content: "{\"symfony_nuxt96\":{\"tailcall_springboot_opsgenie38\":949.62,\"hotfix97\":[7322,[[\"m5]UAQv:i\",3	Go to definition
Source: Doc171836.js	String : entropy: 5.28, length: 24485, content: "{\"symfony_nuxt96\":{\"tailcall_springboot_opsgenie38\":949.62,\"hotfix97\":[7322,[[\"m5]UAQv:i\",3	Go to definition
Source: Doc171836.js	String : entropy: 5.28, length: 20040, content: "{\"zeroknowledge81\":[{\"renderpipeline_micronaut_gerrit79\":\"hm=@Vy1ei2dkY\|\",\"merkle_idempotenc	Go to definition
Source: Doc171836.js	String : entropy: 5.28, length: 20040, content: "{\"zeroknowledge81\":[{\"renderpipeline_micronaut_gerrit79\":\"hm=@Vy1ei2dkY\|\",\"merkle_idempotenc	Go to definition
Source: Doc171836.js	String : entropy: 5.28, length: 20040, content: "{\"zeroknowledge81\":[{\"renderpipeline_micronaut_gerrit79\":\"hm=@Vy1ei2dkY\|\",\"merkle_idempotenc	Go to definition
Source: Doc171836.js	String : entropy: 5.28, length: 20040, content: "{\"zeroknowledge81\":[{\"renderpipeline_micronaut_gerrit79\":\"hm=@Vy1ei2dkY\|\",\"merkle_idempotenc	Go to definition

Source: NVIDIA Notification.exe.1.dr	Static PE information: section name: .oldntma
Source: NVIDIA Notification.exe.1.dr	Static PE information: section name: .crthunk
Source: NVIDIA Notification.exe.1.dr	Static PE information: section name: _RDATA
Source: vcruntime140.dll.1.dr	Static PE information: section name: fothk
Source: vcruntime140.dll.1.dr	Static PE information: section name: _RDATA
Source: msvcp_win.dll.1.dr	Static PE information: section name: .didat

Source: C:\Users\user\AppData\Roaming\nvidia\NVIDIA Notification.exe	Code function: 4_3_000002AD172700A9 push ss; iretd	4_3_000002AD172700BA
Source: C:\Users\user\AppData\Roaming\nvidia\NVIDIA Notification.exe	Code function: 4_2_00007FF8A74271D1 push 457F0FF3h; iretd	4_2_00007FF8A74271D7
Source: C:\Users\user\AppData\Roaming\nvidia\NVIDIA Notification.exe	Code function: 4_2_00007FF8A74271C5 push rbp; iretd	4_2_00007FF8A74271CB

Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\nvidia\vcruntime140_1.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIB62D.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\nvidia\msvcrt.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIB68C.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\nvidia\msvcp_win.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIB6CB.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\nvidia\msvcp140.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\nvidia\msvcp140_1.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIBA38.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\nvidia\vcruntime140.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\nvidia\NVIDIA Notification.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIB6EB.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\nvidia\libcef.dll	Jump to dropped file

Source: C:\Users\user\AppData\Roaming\nvidia\NVIDIA Notification.exe	Code function: 4_2_00007FF8A73E8850 GetDC,GetClientRect,InvalidateRect,IsIconic,SendMessageW,GetSystemMetrics,GetSystemMetrics,GetClientRect,DrawIcon,		4_2_00007FF8A73E8850
Source: C:\Users\user\AppData\Roaming\nvidia\NVIDIA Notification.exe	Code function: 4_2_00007FF8A741894C SetRectEmpty,RedrawWindow,ReleaseCapture,SetCapture,ReleaseCapture,SetCapture,GetParent,SendMessageW,UpdateWindow,GetParent,SendMessageW,IsWindow,IsIconic,IsZoomed,IsWindow,UpdateWindow,		4_2_00007FF8A741894C

Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nvidia\NVIDIA Notification.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nvidia\NVIDIA Notification.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nvidia\NVIDIA Notification.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nvidia\NVIDIA Notification.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\explorer.exe	Code function: GetAdaptersInfo,GetAdaptersInfo,		6_2_08387410
Source: C:\Windows\explorer.exe	Code function: GetAdaptersInfo,GetAdaptersInfo,wsprintfA,wsprintfA,wsprintfA,GetComputerNameExA,wsprintfA,GetComputerNameExA,wsprintfA,		6_2_083885C0

Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 496	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 8778	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 877	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 876	Jump to behavior

Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\nvidia\vcruntime140_1.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIB62D.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIB68C.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIB6CB.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\nvidia\msvcp140.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\nvidia\msvcp140_1.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIBA38.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\nvidia\vcruntime140.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIB6EB.tmp	Jump to dropped file

Source: C:\Windows\System32\msiexec.exe TID: 2148	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nvidia\NVIDIA Notification.exe TID: 6668	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 5536	Thread sleep count: 284 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 5536	Thread sleep time: -284000s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 3136	Thread sleep count: 496 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 3136	Thread sleep time: -49600s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 5536	Thread sleep count: 8778 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 5536	Thread sleep time: -8778000s >= -30000s	Jump to behavior

Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: explorer.exe, 00000006.00000000.2292351623.0000000009B96000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b},
Source: explorer.exe, 00000006.00000000.2289597745.00000000076F8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}99105f770555d7dd
Source: explorer.exe, 00000006.00000002.3371568894.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2292351623.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW0r
Source: explorer.exe, 00000006.00000000.2292351623.0000000009B96000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: explorer.exe, 00000006.00000000.2292351623.0000000009B96000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: NXTcaVMWare
Source: explorer.exe, 00000006.00000002.3371568894.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000%
Source: explorer.exe, 00000006.00000000.2292351623.0000000009B96000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000006.00000000.2288467195.0000000003530000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.
Source: explorer.exe, 00000006.00000000.2292351623.0000000009B96000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware SATA CD00
Source: explorer.exe, 00000006.00000000.2288467195.0000000003530000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware-42 27 d9 2e dc 89 72 dX
Source: explorer.exe, 00000006.00000000.2287637834.0000000000F13000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000A
Source: explorer.exe, 00000006.00000000.2289597745.00000000076F8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}^
Source: NVIDIA Notification.exe, 00000004.00000003.2159080582.000002AD18E90000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: DisableGuestVmNetworkConnectivity
Source: NVIDIA Notification.exe, 00000004.00000002.3364770115.000002AD17107000.00000004.00000020.00020000.00000000.sdmp, NVIDIA Notification.exe, 00000004.00000003.2284837013.000002AD1714C000.00000004.00000020.00020000.00000000.sdmp, NVIDIA Notification.exe, 00000004.00000002.3364770115.000002AD17145000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3371568894.0000000009B2C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2292351623.0000000009B2C000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: explorer.exe, 00000006.00000003.3096832991.000000000C899000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \Device\HarddiskVolume1\??\Volume{ad6cc5d8-f1a9-4873-be33-91b2f05e9306}\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:)"$
Source: explorer.exe, 00000006.00000000.2288467195.0000000003530000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.NoneVMware-42 27 d9 2e dc 89 72 dX
Source: NVIDIA Notification.exe, 00000004.00000003.2159080582.000002AD18E90000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: EnableGuestVmNetworkConnectivity
Source: explorer.exe, 00000006.00000000.2288467195.0000000003530000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware,p
Source: explorer.exe, 00000006.00000000.2292351623.0000000009B96000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000_
Source: explorer.exe, 00000006.00000000.2287637834.0000000000F13000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: explorer.exe, 00000006.00000002.3371568894.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000006.00000002.3368085367.0000000007693000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Doc171836.js

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Latrodectus

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
Doc171836.js

Source: C:\Users\user\AppData\Roaming\nvidia\NVIDIA Notification.exe	Code function: 4_2_00007FF6079D5174 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_00007FF6079D5174
Source: C:\Users\user\AppData\Roaming\nvidia\NVIDIA Notification.exe	Code function: 4_2_00007FF6079980C4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	4_2_00007FF6079980C4
Source: C:\Users\user\AppData\Roaming\nvidia\NVIDIA Notification.exe	Code function: 4_2_00007FF8A758143C SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_00007FF8A758143C

Source: C:\Users\user\AppData\Roaming\nvidia\NVIDIA Notification.exe	Code function: 4_3_00007FF42A2B0100 VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,		4_3_00007FF42A2B0100
Source: C:\Users\user\AppData\Roaming\nvidia\NVIDIA Notification.exe	Code function: 4_2_00000003A6451370 Sleep,SleepEx,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,CreateRemoteThread,WaitForSingleObject,		4_2_00000003A6451370

Source: C:\Users\user\AppData\Roaming\nvidia\NVIDIA Notification.exe	NtClose: Indirect: 0x2AD18D08D8A
Source: C:\Users\user\AppData\Roaming\nvidia\NVIDIA Notification.exe	NtReadVirtualMemory: Indirect: 0x2AD18D2523C	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nvidia\NVIDIA Notification.exe	NtAllocateVirtualMemory: Indirect: 0x2AD172AD2DA	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nvidia\NVIDIA Notification.exe	NtSuspendThread: Indirect: 0x2AD18D0F4F0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nvidia\NVIDIA Notification.exe	NtAllocateVirtualMemory: Indirect: 0x2AD18D23FC7	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nvidia\NVIDIA Notification.exe	NtQueueApcThread: Indirect: 0x2AD18D2506A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nvidia\NVIDIA Notification.exe	NtProtectVirtualMemory: Indirect: 0x2AD172AD336	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nvidia\NVIDIA Notification.exe	NtClose: Indirect: 0x2AD18CF1AAC
Source: C:\Users\user\AppData\Roaming\nvidia\NVIDIA Notification.exe	NtCreateThreadEx: Indirect: 0x2AD18D2444E	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nvidia\NVIDIA Notification.exe	NtSetContextThread: Indirect: 0x2AD18D0816E	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nvidia\NVIDIA Notification.exe	NtSetContextThread: Indirect: 0x2AD18D07AFE	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nvidia\NVIDIA Notification.exe	NtProtectVirtualMemory: Indirect: 0x2AD18D24C5C	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nvidia\NVIDIA Notification.exe	NtResumeThread: Indirect: 0x2AD18D0F5FA	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nvidia\NVIDIA Notification.exe	NtClose: Indirect: 0x2AD18D06154
Source: C:\Users\user\AppData\Roaming\nvidia\NVIDIA Notification.exe	NtTerminateThread: Indirect: 0x2AD18D06165	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nvidia\NVIDIA Notification.exe	NtClose: Indirect: 0x2AD18CF15BD
Source: C:\Users\user\AppData\Roaming\nvidia\NVIDIA Notification.exe	NtClose: Indirect: 0x2AD18D0F626

Source: C:\Users\user\AppData\Roaming\nvidia\NVIDIA Notification.exe	Thread register set: target process: 940	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nvidia\NVIDIA Notification.exe	Thread register set: target process: 940	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nvidia\NVIDIA Notification.exe	Thread register set: target process: 940	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nvidia\NVIDIA Notification.exe	Thread register set: target process: 940	Jump to behavior
Source: C:\Users\user\AppData\Roaming\nvidia\NVIDIA Notification.exe	Thread register set: target process: 940	Jump to behavior

Source: Yara match	File source: 00000004.00000003.2284961805.000002AD19604000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3367947981.000002AD19798000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3367444627.000002AD195D5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: NVIDIA Notification.exe PID: 5804, type: MEMORYSTR

Source: Yara match	File source: 00000006.00000002.3386556969.000000000F10C000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 1028, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	3 Scripting	1 Replication Through Removable Media	1 Native API	3 Scripting	1 Abuse Elevation Control Mechanism	11 Disable or Modify Tools	41 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	4 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	11 Peripheral Device Discovery	Remote Desktop Protocol	41 Input Capture	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	92 Process Injection	1 Abuse Elevation Control Mechanism	Security Account Manager	1 Account Discovery	SMB/Windows Admin Shares	1 Clipboard Data	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	3 Obfuscated Files or Information	NTDS	1 File and Directory Discovery	Distributed Component Object Model	Input Capture	1 Data Encoding	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Timestomp	LSA Secrets	25 System Information Discovery	SSH	Keylogging	4 Non-Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	31 Security Software Discovery	VNC	GUI Input Capture	115 Application Layer Protocol	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 File Deletion	DCSync	21 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	21 Masquerading	Proc Filesystem	3 Process Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	21 Virtualization/Sandbox Evasion	/etc/passwd and /etc/shadow	11 Application Window Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	92 Process Injection	Network Sniffing	1 System Owner/User Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	Stripped Payloads	Input Capture	1 System Network Configuration Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption