Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Request for Quotation 2170032137 PDF.exe

Overview

General Information

Sample name:Request for Quotation 2170032137 PDF.exe
Analysis ID:1642618
MD5:56aeedf2001eee4f8265797c68d94f8d
SHA1:39bb571af117b164c63e463d717a43447f819530
SHA256:d26d1b6211cc74b45b838e9909400b18a2866054ea0452ce8ff420593935b317
Tags:exeuser-julianmckein
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected FormBook
Binary is likely a compiled AutoIt script file
Creates files inside the volume driver (system volume information)
Deletes shadow drive data (may be related to ransomware)
Drops executable to a common third party application directory
Found direct / indirect Syscall (likely to bypass EDR)
Infects executable files (exe, dll, sys, html)
Initial sample is a PE file and has a suspicious name
Joe Sandbox ML detected suspicious sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queries random domain names (often used to prevent blacklisting and sinkholes)
Queues an APC in another process (thread injection)
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Connects to many different domains
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Enables driver privileges
Enables security privileges
Executes massive DNS lookups (> 100)
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain (date check)
Found evasive API chain checking for process token information
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
Potential key logger detected (key state polling based)
Queries the volume information (name, serial number etc) of a device
Queries time zone information
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Uncommon Svchost Parent Process
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • Request for Quotation 2170032137 PDF.exe (PID: 7684 cmdline: "C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exe" MD5: 56AEEDF2001EEE4F8265797C68D94F8D)
    • svchost.exe (PID: 7752 cmdline: "C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
      • JHafvhydouNovF.exe (PID: 2804 cmdline: "C:\Program Files (x86)\nLQOfBOrCOieKElqUulLbIwvUAfUlxrHQzbHjlZBUUQ\F4z7i1CETfOsA.exe" MD5: 9C98D1A23EFAF1B156A130CEA7D2EE3A)
        • mfpmp.exe (PID: 436 cmdline: "C:\Windows\SysWOW64\mfpmp.exe" MD5: 9CD65F38A2B4E53E8180395DE4988D6A)
          • JHafvhydouNovF.exe (PID: 2696 cmdline: "C:\Program Files (x86)\nLQOfBOrCOieKElqUulLbIwvUAfUlxrHQzbHjlZBUUQ\ZIu3keQn1qRYv.exe" MD5: 9C98D1A23EFAF1B156A130CEA7D2EE3A)
          • firefox.exe (PID: 8996 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • armsvc.exe (PID: 7708 cmdline: "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe" MD5: D203B8111A9CC23ACEBE9A62DCE2059E)
  • alg.exe (PID: 7776 cmdline: C:\Windows\System32\alg.exe MD5: B647D9E6A23B0F0237BAFC0BC71AB83E)
  • FXSSVC.exe (PID: 7928 cmdline: C:\Windows\system32\fxssvc.exe MD5: 00D8CAB3B508132EAC8C84BDFEB65037)
  • elevation_service.exe (PID: 8168 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe" MD5: 62742D2AFE9063CD8EC2489406AFA7E7)
  • maintenanceservice.exe (PID: 7204 cmdline: "C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe" MD5: E7B654A37D3805221DBE47A258039593)
  • msdtc.exe (PID: 7296 cmdline: C:\Windows\System32\msdtc.exe MD5: F40A27E997FA4D11A25638183CE75709)
  • PerceptionSimulationService.exe (PID: 7504 cmdline: C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe MD5: 9059E4A96FDBBBFF47EB564CA33EA1AB)
  • perfhost.exe (PID: 6128 cmdline: C:\Windows\SysWow64\perfhost.exe MD5: 30E78C9CB98A9362F3170FE024DDF514)
  • Locator.exe (PID: 500 cmdline: C:\Windows\system32\locator.exe MD5: F343187854DEDAF53C9B18138358B3A7)
  • SensorDataService.exe (PID: 7352 cmdline: C:\Windows\System32\SensorDataService.exe MD5: 11C923DA1BF656E76CEE838A8200A50D)
  • snmptrap.exe (PID: 1384 cmdline: C:\Windows\System32\snmptrap.exe MD5: F1A09A9AC23823ED431730120D5CE7CF)
  • Spectrum.exe (PID: 4344 cmdline: C:\Windows\system32\spectrum.exe MD5: BA80618BAE1D26508A504DB2FA3F9219)
  • ssh-agent.exe (PID: 8296 cmdline: C:\Windows\System32\OpenSSH\ssh-agent.exe MD5: BD84AB7A306A12D3C03AA95102D7C30C)
  • TieringEngineService.exe (PID: 8344 cmdline: C:\Windows\system32\TieringEngineService.exe MD5: 58FE48EA08441415658CD0DE25535ECF)
  • AgentService.exe (PID: 8456 cmdline: C:\Windows\system32\AgentService.exe MD5: 0DA02517F92F10B1AEEF34BB677EF132)
  • vds.exe (PID: 8476 cmdline: C:\Windows\System32\vds.exe MD5: 50662D9136EE6D7A4DB1C8FBD7895CBB)
  • wbengine.exe (PID: 8616 cmdline: "C:\Windows\system32\wbengine.exe" MD5: 1A06DF224A27A865271E1C97FCBC1A00)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000F.00000002.2452791922.0000000002DF0000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000002.00000002.1319122745.0000000000400000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      0000000F.00000002.2453998718.0000000002E40000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        00000002.00000002.1321465488.0000000003C00000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          00000023.00000002.2467620602.00000000049F0000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            Click to see the 3 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            2.2.svchost.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
              2.2.svchost.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security

                Sigma Signatures

                System Summary

                barindex
                Sigma detected: Uncommon Svchost Parent Process
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exe", CommandLine: "C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exe", CommandLine|base64offset|contains: ~, Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exe", ParentImage: C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exe, ParentProcessId: 7684, ParentProcessName: Request for Quotation 2170032137 PDF.exe, ProcessCommandLine: "C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exe", ProcessId: 7752, ProcessName: svchost.exe
                Sigma detected: Windows Processes Suspicious Parent Directory
                Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exe", CommandLine: "C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exe", CommandLine|base64offset|contains: ~, Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exe", ParentImage: C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exe, ParentProcessId: 7684, ParentProcessName: Request for Quotation 2170032137 PDF.exe, ProcessCommandLine: "C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exe", ProcessId: 7752, ProcessName: svchost.exe

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-03-19T08:58:12.264150+010020516541A Network Trojan was detected192.168.2.4497441.1.1.153UDP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-03-19T08:57:42.536702+010020516511A Network Trojan was detected192.168.2.4624181.1.1.153UDP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-03-19T08:58:06.244537+010020516531A Network Trojan was detected192.168.2.4635461.1.1.153UDP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-03-19T08:56:17.350230+010020516491A Network Trojan was detected192.168.2.4577901.1.1.153UDP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-03-19T08:56:15.925686+010020516481A Network Trojan was detected192.168.2.4562541.1.1.153UDP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-03-19T08:56:42.133164+010020507451Malware Command and Control Activity Detected192.168.2.44973713.248.169.4880TCP
                2025-03-19T08:57:10.395713+010020507451Malware Command and Control Activity Detected192.168.2.44976413.248.169.4880TCP
                2025-03-19T08:57:23.650370+010020507451Malware Command and Control Activity Detected192.168.2.449778199.59.243.16080TCP
                2025-03-19T08:57:39.887850+010020507451Malware Command and Control Activity Detected192.168.2.44979613.248.169.4880TCP
                2025-03-19T08:57:53.082951+010020507451Malware Command and Control Activity Detected192.168.2.44981513.248.169.4880TCP
                2025-03-19T08:58:06.359310+010020507451Malware Command and Control Activity Detected192.168.2.44983613.248.169.4880TCP
                2025-03-19T08:58:28.186180+010020507451Malware Command and Control Activity Detected192.168.2.44985237.27.60.10980TCP
                2025-03-19T08:58:41.450286+010020507451Malware Command and Control Activity Detected192.168.2.44985613.248.169.4880TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-03-19T08:56:11.360843+010020181411A Network Trojan was detected52.11.240.23980192.168.2.449710TCP
                2025-03-19T08:56:49.656556+010020181411A Network Trojan was detected3.229.117.5780192.168.2.449741TCP
                2025-03-19T08:56:54.602029+010020181411A Network Trojan was detected34.245.175.18780192.168.2.449746TCP
                2025-03-19T08:57:01.733538+010020181411A Network Trojan was detected52.43.119.12080192.168.2.449752TCP
                2025-03-19T08:57:02.626071+010020181411A Network Trojan was detected54.85.87.18480192.168.2.449753TCP
                2025-03-19T08:57:15.595141+010020181411A Network Trojan was detected34.229.166.5080192.168.2.449769TCP
                2025-03-19T08:57:24.830473+010020181411A Network Trojan was detected18.142.91.11180192.168.2.449779TCP
                2025-03-19T08:57:30.400116+010020181411A Network Trojan was detected54.169.144.9780192.168.2.449786TCP
                2025-03-19T08:57:31.173744+010020181411A Network Trojan was detected52.26.80.13380192.168.2.449787TCP
                2025-03-19T08:57:37.276694+010020181411A Network Trojan was detected13.213.51.19680192.168.2.449795TCP
                2025-03-19T08:57:42.541048+010020181411A Network Trojan was detected52.212.150.5480192.168.2.449802TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-03-19T08:56:11.360843+010020377711A Network Trojan was detected52.11.240.23980192.168.2.449710TCP
                2025-03-19T08:56:49.656556+010020377711A Network Trojan was detected3.229.117.5780192.168.2.449741TCP
                2025-03-19T08:56:54.602029+010020377711A Network Trojan was detected34.245.175.18780192.168.2.449746TCP
                2025-03-19T08:57:01.733538+010020377711A Network Trojan was detected52.43.119.12080192.168.2.449752TCP
                2025-03-19T08:57:02.626071+010020377711A Network Trojan was detected54.85.87.18480192.168.2.449753TCP
                2025-03-19T08:57:15.595141+010020377711A Network Trojan was detected34.229.166.5080192.168.2.449769TCP
                2025-03-19T08:57:24.830473+010020377711A Network Trojan was detected18.142.91.11180192.168.2.449779TCP
                2025-03-19T08:57:30.400116+010020377711A Network Trojan was detected54.169.144.9780192.168.2.449786TCP
                2025-03-19T08:57:31.173744+010020377711A Network Trojan was detected52.26.80.13380192.168.2.449787TCP
                2025-03-19T08:57:37.276694+010020377711A Network Trojan was detected13.213.51.19680192.168.2.449795TCP
                2025-03-19T08:57:42.541048+010020377711A Network Trojan was detected52.212.150.5480192.168.2.449802TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-03-19T08:56:42.133164+010028554651A Network Trojan was detected192.168.2.44973713.248.169.4880TCP
                2025-03-19T08:57:10.395713+010028554651A Network Trojan was detected192.168.2.44976413.248.169.4880TCP
                2025-03-19T08:57:23.650370+010028554651A Network Trojan was detected192.168.2.449778199.59.243.16080TCP
                2025-03-19T08:57:39.887850+010028554651A Network Trojan was detected192.168.2.44979613.248.169.4880TCP
                2025-03-19T08:57:53.082951+010028554651A Network Trojan was detected192.168.2.44981513.248.169.4880TCP
                2025-03-19T08:58:06.359310+010028554651A Network Trojan was detected192.168.2.44983613.248.169.4880TCP
                2025-03-19T08:58:28.186180+010028554651A Network Trojan was detected192.168.2.44985237.27.60.10980TCP
                2025-03-19T08:58:41.450286+010028554651A Network Trojan was detected192.168.2.44985613.248.169.4880TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-03-19T08:57:02.701541+010028554641A Network Trojan was detected192.168.2.44975413.248.169.4880TCP
                2025-03-19T08:57:05.259662+010028554641A Network Trojan was detected192.168.2.44975713.248.169.4880TCP
                2025-03-19T08:57:07.791613+010028554641A Network Trojan was detected192.168.2.44976113.248.169.4880TCP
                2025-03-19T08:57:16.098738+010028554641A Network Trojan was detected192.168.2.449770199.59.243.16080TCP
                2025-03-19T08:57:18.521623+010028554641A Network Trojan was detected192.168.2.449773199.59.243.16080TCP
                2025-03-19T08:57:21.090486+010028554641A Network Trojan was detected192.168.2.449776199.59.243.16080TCP
                2025-03-19T08:57:29.202912+010028554641A Network Trojan was detected192.168.2.44978513.248.169.4880TCP
                2025-03-19T08:57:31.751198+010028554641A Network Trojan was detected192.168.2.44978913.248.169.4880TCP
                2025-03-19T08:57:34.308340+010028554641A Network Trojan was detected192.168.2.44979313.248.169.4880TCP
                2025-03-19T08:57:45.427187+010028554641A Network Trojan was detected192.168.2.44980513.248.169.4880TCP
                2025-03-19T08:57:47.965490+010028554641A Network Trojan was detected192.168.2.44980913.248.169.4880TCP
                2025-03-19T08:57:50.518647+010028554641A Network Trojan was detected192.168.2.44981213.248.169.4880TCP
                2025-03-19T08:57:58.692163+010028554641A Network Trojan was detected192.168.2.44982313.248.169.4880TCP
                2025-03-19T08:58:01.219302+010028554641A Network Trojan was detected192.168.2.44982713.248.169.4880TCP
                2025-03-19T08:58:03.773708+010028554641A Network Trojan was detected192.168.2.44983213.248.169.4880TCP
                2025-03-19T08:58:12.975405+010028554641A Network Trojan was detected192.168.2.44984537.27.60.10980TCP
                2025-03-19T08:58:16.023438+010028554641A Network Trojan was detected192.168.2.44984837.27.60.10980TCP
                2025-03-19T08:58:25.627217+010028554641A Network Trojan was detected192.168.2.44985137.27.60.10980TCP
                2025-03-19T08:58:33.737741+010028554641A Network Trojan was detected192.168.2.44985313.248.169.4880TCP
                2025-03-19T08:58:36.317461+010028554641A Network Trojan was detected192.168.2.44985413.248.169.4880TCP
                2025-03-19T08:58:38.850065+010028554641A Network Trojan was detected192.168.2.44985513.248.169.4880TCP
                2025-03-19T08:58:47.129104+010028554641A Network Trojan was detected192.168.2.449857203.161.60.16180TCP
                2025-03-19T08:58:49.655659+010028554641A Network Trojan was detected192.168.2.449858203.161.60.16180TCP
                2025-03-19T08:58:52.233993+010028554641A Network Trojan was detected192.168.2.449859203.161.60.16180TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-03-19T08:56:16.594674+010028508511Malware Command and Control Activity Detected192.168.2.44971772.52.178.2380TCP
                2025-03-19T08:57:30.392724+010028508511Malware Command and Control Activity Detected192.168.2.44978654.169.144.9780TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: Request for Quotation 2170032137 PDF.exeAvira: detected
                Antivirus detection for URL or domain
                Source: http://ww7.fwiwk.biz/mwhvimeidcfs?usid=26&utid=11300867017Avira URL Cloud: Label: phishing
                Source: http://ww12.fwiwk.biz/Avira URL Cloud: Label: phishing
                Source: http://ww7.przvgke.biz/mqvmnujuhcpcx?usid=26&utid=11300861055LocationETagAuthentication-InfoAgeAccepAvira URL Cloud: Label: malware
                Source: http://www.publicblockchain.xyz/9x20/Avira URL Cloud: Label: malware
                Source: http://ww7.przvgke.biz/mqvmnujuhcpcx?usid=26&utid=11300861055Avira URL Cloud: Label: malware
                Antivirus detection for dropped file
                Source: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exeAvira: detection malicious, Label: W32/Infector.Gen
                Source: C:\Program Files (x86)\Java\jre-1.8\bin\klist.exeAvira: detection malicious, Label: W32/Infector.Gen
                Source: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exeAvira: detection malicious, Label: W32/Infector.Gen
                Source: C:\Program Files (x86)\Java\jre-1.8\bin\jjs.exeAvira: detection malicious, Label: W32/Infector.Gen
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeAvira: detection malicious, Label: W32/Infector.Gen
                Source: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exeAvira: detection malicious, Label: W32/Infector.Gen
                Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeAvira: detection malicious, Label: W32/Infector.Gen
                Source: C:\Program Files (x86)\Java\jre-1.8\bin\kinit.exeAvira: detection malicious, Label: W32/Infector.Gen
                Source: C:\Program Files (x86)\AutoIt3\Au3Check.exeAvira: detection malicious, Label: W32/Infector.Gen
                Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exeAvira: detection malicious, Label: W32/Infector.Gen
                Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exeAvira: detection malicious, Label: W32/Infector.Gen
                Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exeAvira: detection malicious, Label: W32/Infector.Gen
                Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exeAvira: detection malicious, Label: W32/Infector.Gen
                Source: C:\Program Files (x86)\Java\jre-1.8\bin\jabswitch.exeAvira: detection malicious, Label: W32/Infector.Gen
                Source: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exeAvira: detection malicious, Label: W32/Infector.Gen
                Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeAvira: detection malicious, Label: W32/Infector.Gen
                Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exeAvira: detection malicious, Label: W32/Infector.Gen
                Source: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exeAvira: detection malicious, Label: W32/Infector.Gen
                Source: C:\Program Files (x86)\Java\jre-1.8\bin\java-rmi.exeAvira: detection malicious, Label: W32/Infector.Gen
                Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeAvira: detection malicious, Label: W32/Infector.Gen
                Source: C:\Program Files (x86)\Java\jre-1.8\bin\ktab.exeAvira: detection malicious, Label: W32/Infector.Gen
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exeAvira: detection malicious, Label: W32/Infector.Gen
                Source: C:\Program Files (x86)\Java\jre-1.8\bin\orbd.exeAvira: detection malicious, Label: W32/Infector.Gen
                Source: C:\Program Files (x86)\Google\GoogleUpdater\135.0.7023.0\updater.exeAvira: detection malicious, Label: W32/Infector.Gen
                Source: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exeAvira: detection malicious, Label: W32/Infector.Gen
                Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exeAvira: detection malicious, Label: W32/Infector.Gen
                Source: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exeAvira: detection malicious, Label: W32/Infector.Gen
                Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exeAvira: detection malicious, Label: W32/Infector.Gen
                Source: C:\Program Files (x86)\Java\jre-1.8\bin\pack200.exeAvira: detection malicious, Label: W32/Infector.Gen
                Source: C:\Program Files (x86)\Java\jre-1.8\bin\keytool.exeAvira: detection malicious, Label: W32/Infector.Gen
                Source: C:\Program Files (x86)\AutoIt3\Au3Info.exeAvira: detection malicious, Label: W32/Infector.Gen
                Multi AV Scanner detection for submitted file
                Source: Request for Quotation 2170032137 PDF.exeReversingLabs: Detection: 85%
                Source: Request for Quotation 2170032137 PDF.exeVirustotal: Detection: 73%Perma Link
                Yara detected FormBook
                Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000F.00000002.2452791922.0000000002DF0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1319122745.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000002.2453998718.0000000002E40000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1321465488.0000000003C00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000023.00000002.2467620602.00000000049F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000002.2405286920.0000000002820000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000D.00000002.2454038999.0000000002CB0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1319902942.0000000003360000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Joe Sandbox ML detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Source: Request for Quotation 2170032137 PDF.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                Source: Binary string: C:\work\p4\splinters\Splinters\S\BuildResults\bin\Win32\ReaderRelease\FullTrustNotifier\FullTrustNotifier.pdb77.GCTL source: armsvc.exe, 00000001.00000003.1725592296.0000000001FC0000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: D:\DCB\CBT_Main\BuildResults\bin\Win32\Release\armsvc.pdb source: Request for Quotation 2170032137 PDF.exe, 00000000.00000003.1142035027.0000000003EB0000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe.0.dr
                Source: Binary string: msiexec.pdb source: armsvc.exe, 00000001.00000003.1223159068.0000000001AB0000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: E:\PkgInstaller\base\ntsetup\SrvPack.Main\tools\sfxcab\sfxcab\objfre\i386\sfxcab.pdb source: armsvc.exe, 00000001.00000003.1795693863.0000000000830000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1797481959.00000000007C0000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1807529055.0000000000700000.00000004.00001000.00020000.00000000.sdmp, WindowsInstaller-KB893803-v2-x86.exe.1.dr
                Source: Binary string: D:\T\BuildResults\bin\Release_x64\AcrobatInfo.pdb source: armsvc.exe, 00000001.00000003.1420784875.0000000001FB0000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: ssh-agent.pdb source: armsvc.exe, 00000001.00000003.1289641035.0000000002040000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: D:\T\BuildResults\bin\Release_x64\TextExtractor.pdb444 source: armsvc.exe, 00000001.00000003.1539307812.0000000001F30000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: D:\T\BuildResults\bin\Release_x64\TextExtractor.pdb source: armsvc.exe, 00000001.00000003.1539307812.0000000001F30000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: vssvc.pdb source: VSSVC.exe.1.dr
                Source: Binary string: msiexec.pdbGCTL source: armsvc.exe, 00000001.00000003.1223159068.0000000001AB0000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: ADelRCP_Exec.pdb source: armsvc.exe, 00000001.00000003.1564810456.0000000001AC0000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\jjs_objs\jjs.pdb source: jjs.exe.1.dr
                Source: Binary string: mavinject32.pdbGCTL source: armsvc.exe, 00000001.00000003.1843574884.0000000000870000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1840114212.0000000000860000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: PresentationFontCache.pdb source: armsvc.exe, 00000001.00000003.1173376977.0000000002090000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: PerceptionSimulationService.pdb source: armsvc.exe, 00000001.00000003.1229499868.0000000002050000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: MFPMP.pdbUGP source: svchost.exe, 00000002.00000003.1286446437.0000000002E1B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1287237079.0000000002E1A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1287309124.0000000002E24000.00000004.00000020.00020000.00000000.sdmp, JHafvhydouNovF.exe, 0000000D.00000003.1692984351.0000000001054000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: Request for Quotation 2170032137 PDF.exe, 00000000.00000003.1149607815.0000000004080000.00000004.00001000.00020000.00000000.sdmp, Request for Quotation 2170032137 PDF.exe, 00000000.00000003.1153123563.0000000004D70000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1224739065.0000000003300000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1319947125.0000000003500000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1319947125.000000000369E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1220845297.0000000003100000.00000004.00000020.00020000.00000000.sdmp, mfpmp.exe, 0000000F.00000003.1319850265.0000000002EA7000.00000004.00000020.00020000.00000000.sdmp, mfpmp.exe, 0000000F.00000003.1323704812.0000000003055000.00000004.00000020.00020000.00000000.sdmp, mfpmp.exe, 0000000F.00000002.2459249033.0000000003200000.00000040.00001000.00020000.00000000.sdmp, mfpmp.exe, 0000000F.00000002.2459249033.000000000339E000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: D:\T\BuildResults\bin\Release_x64\WebInstaller\AcroMiniServicesUpdater.pdb source: armsvc.exe, 00000001.00000003.1510211277.0000000001AB0000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\rmiregistry_objs\rmiregistry.pdb source: rmiregistry.exe.1.dr
                Source: Binary string: Spectrum.pdb source: Spectrum.exe.1.dr
                Source: Binary string: D:\a\_work\e\src\out\Release_x64\notification_helper.exe.pdb source: notification_click_helper.exe.1.dr
                Source: Binary string: MsSense.pdbGCTL source: armsvc.exe, 00000001.00000003.1257975412.0000000002040000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: D:\dbs\el\omr\Target\x64\ship\click2run\x-none\InspectorOfficeGadget.pdb source: armsvc.exe, 00000001.00000003.1827366220.00000000007F0000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: MsSense.pdb source: armsvc.exe, 00000001.00000003.1257975412.0000000002040000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: D:\T\Acrobat\Installers\ShowAppPickerForPDF\Release_x64\ShowAppPickerForPDF.pdb source: armsvc.exe, 00000001.00000003.1737871345.0000000002030000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1745300945.00000000019D0000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\tnameserv_objs\tnameserv.pdb source: tnameserv.exe.1.dr
                Source: Binary string: svchost.pdb source: mfpmp.exe, 0000000F.00000002.2419863216.0000000002CC8000.00000004.00000020.00020000.00000000.sdmp, mfpmp.exe, 0000000F.00000002.2472507538.000000000382C000.00000004.10000000.00040000.00000000.sdmp, JHafvhydouNovF.exe, 00000023.00000002.2459183149.00000000025BC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000026.00000002.1657376699.000000002146C000.00000004.80000000.00040000.00000000.sdmp
                Source: Binary string: WmiApSrv.pdbGCTL source: armsvc.exe, 00000001.00000003.1345776627.0000000002040000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: svchost.pdbUGP source: mfpmp.exe, 0000000F.00000002.2419863216.0000000002CC8000.00000004.00000020.00020000.00000000.sdmp, mfpmp.exe, 0000000F.00000002.2472507538.000000000382C000.00000004.10000000.00040000.00000000.sdmp, JHafvhydouNovF.exe, 00000023.00000002.2459183149.00000000025BC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000026.00000002.1657376699.000000002146C000.00000004.80000000.00040000.00000000.sdmp
                Source: Binary string: D:\T\BuildResults\bin\Release_x64\WCChromeNativeMessagingHost.pdb888 source: armsvc.exe, 00000001.00000003.1603124621.00000000019D0000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: D:\T\BuildResults\bin\Release_x64\AcrobatExe.pdb source: Acrobat.exe.1.dr
                Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\deploy\tmp\javacplexec\obj\javacpl.pdb source: javacpl.exe.1.dr
                Source: Binary string: Acrobat_SL.pdb((( source: armsvc.exe, 00000001.00000003.1433078419.0000000001FB0000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: Spectrum.pdbGCTL source: Spectrum.exe.1.dr
                Source: Binary string: locator.pdb source: armsvc.exe, 00000001.00000003.1242191061.0000000002040000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1255672902.0000000001FA0000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: DiagnosticsHub.StandardCollector.Service.pdbGCTL source: armsvc.exe, 00000001.00000003.1163574287.00000000020A0000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\rmid_objs\rmid.pdb source: rmid.exe.1.dr
                Source: Binary string: ADelRCP_Exec.pdbCC9 source: armsvc.exe, 00000001.00000003.1564810456.0000000001AC0000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: D:\T\BuildResults\bin\Release_x64\AcroBroker.pdb source: armsvc.exe, 00000001.00000003.1441681330.0000000001FB0000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: Acrobat_SL.pdb source: armsvc.exe, 00000001.00000003.1433078419.0000000001FB0000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: E:\PkgInstaller\base\ntsetup\SrvPack.Main\tools\sfxcab\sfxcab\objfre\i386\sfxcab.pdbU source: armsvc.exe, 00000001.00000003.1795693863.0000000000830000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1797481959.00000000007C0000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1807529055.0000000000700000.00000004.00001000.00020000.00000000.sdmp, WindowsInstaller-KB893803-v2-x86.exe.1.dr
                Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\deploy\tmp\javacplexec\obj\javacpl.pdb774 source: javacpl.exe.1.dr
                Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\java_objs\java.pdb source: java.exe.1.dr
                Source: Binary string: D:\T\BuildResults\bin\Release_x64\WebInstaller\AcroMiniServicesUpdater.pdbT source: armsvc.exe, 00000001.00000003.1510211277.0000000001AB0000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: C:\workspace\CR-Windows-x64-Client-Builder\x64\Release\CRWindowsClientService.pdbGG source: armsvc.exe, 00000001.00000003.1623851549.0000000002020000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: D:\T\BuildResults\bin\Release_x64\AcrobatInfo.pdb))) source: armsvc.exe, 00000001.00000003.1420784875.0000000001FB0000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\jjs_objs\jjs.pdb source: jjs.exe.1.dr
                Source: Binary string: mavinject32.pdb source: armsvc.exe, 00000001.00000003.1843574884.0000000000870000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1840114212.0000000000860000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: PerceptionSimulationService.pdbGCTL source: armsvc.exe, 00000001.00000003.1229499868.0000000002050000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: snmptrap.pdbGCTL source: armsvc.exe, 00000001.00000003.1268341299.0000000002040000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: maintenanceservice.pdb source: armsvc.exe, 00000001.00000003.1208471492.0000000002000000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: 64BitMAPIBroker.pdb source: armsvc.exe, 00000001.00000003.1698790977.0000000001FC0000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: msdtcexe.pdbGCTL source: armsvc.exe, 00000001.00000003.1213391981.0000000002070000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: D:\dbs\el\omr\Target\x64\ship\click2run\x-none\InspectorOfficeGadget.pdbY source: armsvc.exe, 00000001.00000003.1827366220.00000000007F0000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: PerfHost.pdbGCTL source: armsvc.exe, 00000001.00000003.1240594107.0000000001FB0000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1235751119.0000000002040000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1236521918.0000000002050000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: C:\Work\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: JHafvhydouNovF.exe, 0000000D.00000002.2405366340.000000000092F000.00000002.00000001.01000000.00000007.sdmp, JHafvhydouNovF.exe, 00000023.00000002.2452069883.000000000092F000.00000002.00000001.01000000.00000007.sdmp
                Source: Binary string: E:\jenkins\workspace\NGL_WORKFLOW\build\master\win64\Release\Acrobat\project\win\ngl-workflow\x64\Release (Acrobat)\adobe_licensing_wf_helper_acro.pdb source: armsvc.exe, 00000001.00000003.1676598207.0000000001FB0000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: D:\T\Acrobat\Installers\ADNotificationManager\Viewer Release_x64\ADNotificationManager.pdb source: ADNotificationManager.exe.1.dr
                Source: Binary string: D:\T\BuildResults\bin\Release_x64\WCChromeNativeMessagingHost.pdb source: armsvc.exe, 00000001.00000003.1603124621.00000000019D0000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\rmid_objs\rmid.pdb source: rmid.exe.1.dr
                Source: Binary string: C:\workspace\CR-Windows-x64-Client-Builder\x64\Release\CRWindowsClientService.pdb source: armsvc.exe, 00000001.00000003.1623851549.0000000002020000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: PerfHost.pdb source: armsvc.exe, 00000001.00000003.1240594107.0000000001FB0000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1235751119.0000000002040000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1236521918.0000000002050000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: D:\T\BuildResults\bin\Release\Plug_ins\pi_brokers\32BitMAPIBroker.pdb@@ source: armsvc.exe, 00000001.00000003.1683926901.0000000001FC0000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: C:\work\p4\splinters\Splinters\S\BuildResults\bin\Win32\ReaderRelease\FullTrustNotifier\FullTrustNotifier.pdb source: armsvc.exe, 00000001.00000003.1725592296.0000000001FC0000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: MFPMP.pdb source: svchost.exe, 00000002.00000003.1286446437.0000000002E1B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1287237079.0000000002E1A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1287309124.0000000002E24000.00000004.00000020.00020000.00000000.sdmp, JHafvhydouNovF.exe, 0000000D.00000003.1692984351.0000000001054000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\klist_objs\klist.pdb source: klist.exe.1.dr
                Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\tnameserv_objs\tnameserv.pdb source: tnameserv.exe.1.dr
                Source: Binary string: maintenanceservice.pdb` source: armsvc.exe, 00000001.00000003.1208471492.0000000002000000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: D:\T\Acrobat\Installers\ShowAppPickerForPDF\Release_x64\ShowAppPickerForPDF.pdb$$ source: armsvc.exe, 00000001.00000003.1737871345.0000000002030000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1745300945.00000000019D0000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdbUGP source: Request for Quotation 2170032137 PDF.exe, 00000000.00000003.1149607815.0000000004080000.00000004.00001000.00020000.00000000.sdmp, Request for Quotation 2170032137 PDF.exe, 00000000.00000003.1153123563.0000000004D70000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1224739065.0000000003300000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1319947125.0000000003500000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1319947125.000000000369E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1220845297.0000000003100000.00000004.00000020.00020000.00000000.sdmp, mfpmp.exe, 0000000F.00000003.1319850265.0000000002EA7000.00000004.00000020.00020000.00000000.sdmp, mfpmp.exe, 0000000F.00000003.1323704812.0000000003055000.00000004.00000020.00020000.00000000.sdmp, mfpmp.exe, 0000000F.00000002.2459249033.0000000003200000.00000040.00001000.00020000.00000000.sdmp, mfpmp.exe, 0000000F.00000002.2459249033.000000000339E000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: TieringEngineService.pdb source: armsvc.exe, 00000001.00000003.1294714675.0000000002040000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: TieringEngineService.pdbGCTL source: armsvc.exe, 00000001.00000003.1294714675.0000000002040000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: WmiApSrv.pdb source: armsvc.exe, 00000001.00000003.1345776627.0000000002040000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: D:\T\BuildResults\bin\Release_x64\Eula.pdb source: armsvc.exe, 00000001.00000003.1633923544.0000000001AB0000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: D:\a\_work\e\src\out\Release_x64\notification_helper.exe.pdbOGP source: notification_click_helper.exe.1.dr
                Source: Binary string: ALG.pdb source: Request for Quotation 2170032137 PDF.exe, 00000000.00000003.1147493593.0000000003F20000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\rmiregistry_objs\rmiregistry.pdb source: rmiregistry.exe.1.dr
                Source: Binary string: msdtcexe.pdb source: armsvc.exe, 00000001.00000003.1213391981.0000000002070000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: DiagnosticsHub.StandardCollector.Service.pdb source: armsvc.exe, 00000001.00000003.1163574287.00000000020A0000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: ALG.pdbGCTL source: Request for Quotation 2170032137 PDF.exe, 00000000.00000003.1147493593.0000000003F20000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: PresentationFontCache.pdbHt^t Pt_CorExeMainmscoree.dll source: armsvc.exe, 00000001.00000003.1173376977.0000000002090000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: locator.pdbGCTL source: armsvc.exe, 00000001.00000003.1242191061.0000000002040000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1255672902.0000000001FA0000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: D:\T\BuildResults\bin\Release_x64\AcroBroker.pdbTTT source: armsvc.exe, 00000001.00000003.1441681330.0000000001FB0000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: D:\T\Acrobat\Installers\ADNotificationManager\Viewer Release_x64\ADNotificationManager.pdb22 source: ADNotificationManager.exe.1.dr
                Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\klist_objs\klist.pdb source: klist.exe.1.dr
                Source: Binary string: ssh-agent.pdbX source: armsvc.exe, 00000001.00000003.1289641035.0000000002040000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: vssvc.pdbUGP source: VSSVC.exe.1.dr
                Source: Binary string: AppVShNotify.pdb source: armsvc.exe, 00000001.00000003.1823458268.00000000007B0000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: snmptrap.pdb source: armsvc.exe, 00000001.00000003.1268341299.0000000002040000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: D:\T\BuildResults\bin\Release\Plug_ins\pi_brokers\32BitMAPIBroker.pdb source: armsvc.exe, 00000001.00000003.1683926901.0000000001FC0000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: D:\T\BuildResults\bin\Release_x64\Eula.pdb888 source: armsvc.exe, 00000001.00000003.1633923544.0000000001AB0000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: AppVShNotify.pdbGCTL source: armsvc.exe, 00000001.00000003.1823458268.00000000007B0000.00000004.00001000.00020000.00000000.sdmp

                Spreading

                barindex
                Infects executable files (exe, dll, sys, html)
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Windows\System32\wbem\WmiApSrv.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\Installer\setup.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Mozilla Firefox\pingsender.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Windows\System32\vds.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exeJump to behavior
                Source: C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exeSystem file written: C:\Windows\System32\alg.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\7-Zip\7zFM.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Windows\System32\snmptrap.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Windows\System32\Spectrum.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Windows Media Player\wmpnetwk.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Windows\System32\Locator.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files (x86)\Google\GoogleUpdater\135.0.7023.0\updater.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Mozilla Firefox\default-browser-agent.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\7-Zip\7z.exeJump to behavior
                Source: C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exeSystem file written: C:\Windows\System32\AppVClient.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Mozilla Firefox\crashreporter.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Windows\SysWOW64\perfhost.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\7-Zip\7zG.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Windows\System32\msiexec.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\elevation_service.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Windows\System32\VSSVC.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Windows\System32\wbengine.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\os_update_handler.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Windows\System32\SearchIndexer.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\Installer\chrmstp.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Mozilla Firefox\private_browsing.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Mozilla Firefox\maintenanceservice.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\notification_helper.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Windows\System32\TieringEngineService.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Mozilla Firefox\firefox.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files (x86)\AutoIt3\Au3Info.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Mozilla Firefox\updater.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files (x86)\AutoIt3\Au3Check.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\chrome_pwa_launcher.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Windows\System32\AgentService.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\7-Zip\Uninstall.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\elevated_tracing_service.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Google\Chrome\Application\chrome_proxy.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Windows\System32\FXSSVC.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exeJump to behavior
                Source: C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exeSystem file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\officesvcmgr.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Windows\System32\OpenSSH\ssh-agent.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Windows\System32\SensorDataService.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Windows\System32\msdtc.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Mozilla Firefox\plugin-container.exeJump to behavior
                Source: C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exeCode function: 0_2_0046445A GetFileAttributesW,FindFirstFileW,FindClose,0_2_0046445A
                Source: C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exeCode function: 0_2_0046C6D1 FindFirstFileW,FindClose,0_2_0046C6D1
                Source: C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exeCode function: 0_2_0046C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_0046C75C
                Source: C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exeCode function: 0_2_0046EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0046EF95
                Source: C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exeCode function: 0_2_0046F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0046F0F2
                Source: C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exeCode function: 0_2_0046F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0046F3F3
                Source: C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exeCode function: 0_2_004637EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_004637EF
                Source: C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exeCode function: 0_2_00463B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00463B12
                Source: C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exeCode function: 0_2_0046BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0046BCBC
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile opened: C:\Program Files (x86)\common files\Oracle\Java\javapath\java.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile opened: C:\Program Files (x86)\common files\Oracle\Java\javapath\javaw.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile opened: C:\Program Files (x86)\common files\Oracle\Java\javapath\javaws.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile opened: C:\Program Files (x86)\common files\Oracle\Java\javapath_target_749031\java.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile opened: C:\Program Files (x86)\common files\Oracle\Java\javapath_target_749031\javaw.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile opened: C:\Program Files (x86)\common files\Oracle\Java\javapath_target_749031\javaws.exeJump to behavior

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2850851 - Severity 1 - ETPRO MALWARE Win32/Expiro.NDO CnC Activity : 192.168.2.4:49717 -> 72.52.178.23:80
                Source: Network trafficSuricata IDS: 2850851 - Severity 1 - ETPRO MALWARE Win32/Expiro.NDO CnC Activity : 192.168.2.4:49786 -> 54.169.144.97:80
                Source: Network trafficSuricata IDS: 2051648 - Severity 1 - ET MALWARE DNS Query to Expiro Related Domain (przvgke .biz) : 192.168.2.4:56254 -> 1.1.1.1:53
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49737 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49737 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49776 -> 199.59.243.160:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49789 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49754 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2051649 - Severity 1 - ET MALWARE DNS Query to Expiro Related Domain (knjghuig .biz) : 192.168.2.4:57790 -> 1.1.1.1:53
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49852 -> 37.27.60.109:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49852 -> 37.27.60.109:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49770 -> 199.59.243.160:80
                Source: Network trafficSuricata IDS: 2051653 - Severity 1 - ET MALWARE DNS Query to Expiro Domain (htwqzczce .biz) : 192.168.2.4:63546 -> 1.1.1.1:53
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49761 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49785 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49812 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49823 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49832 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49757 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49796 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49796 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49853 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49764 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2051651 - Severity 1 - ET MALWARE DNS Query to Expiro Domain (eufxebus .biz) : 192.168.2.4:62418 -> 1.1.1.1:53
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49764 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49793 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49815 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49815 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49856 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49856 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49854 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49809 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49848 -> 37.27.60.109:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49827 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49845 -> 37.27.60.109:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49778 -> 199.59.243.160:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49778 -> 199.59.243.160:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49773 -> 199.59.243.160:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49805 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49858 -> 203.161.60.161:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49855 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49851 -> 37.27.60.109:80
                Source: Network trafficSuricata IDS: 2051654 - Severity 1 - ET MALWARE DNS Query to Expiro Domain (cikivjto .biz) : 192.168.2.4:49744 -> 1.1.1.1:53
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49857 -> 203.161.60.161:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49836 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49836 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49859 -> 203.161.60.161:80
                Performs DNS queries to domains with low reputation
                Source: DNS query: www.minimalbtc.xyz
                Source: DNS query: www.dappbtc.xyz
                Source: DNS query: www.stakemask.xyz
                Source: DNS query: www.agistaking.xyz
                Source: DNS query: www.publicblockchain.xyz
                Queries random domain names (often used to prevent blacklisting and sinkholes)
                Source: unknownDNS traffic detected: English language letter frequency does not match the domain names
                Source: unknownNetwork traffic detected: DNS query count 106
                Source: global trafficDNS traffic detected: number of DNS queries: 106
                Source: Joe Sandbox ViewIP Address: 13.248.148.254 13.248.148.254
                Source: Joe Sandbox ViewIP Address: 13.248.148.254 13.248.148.254
                Source: Joe Sandbox ViewIP Address: 13.248.169.48 13.248.169.48
                Source: Network trafficSuricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 3.229.117.57:80 -> 192.168.2.4:49741
                Source: Network trafficSuricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 3.229.117.57:80 -> 192.168.2.4:49741
                Source: Network trafficSuricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 34.245.175.187:80 -> 192.168.2.4:49746
                Source: Network trafficSuricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 54.169.144.97:80 -> 192.168.2.4:49786
                Source: Network trafficSuricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 54.169.144.97:80 -> 192.168.2.4:49786
                Source: Network trafficSuricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 34.245.175.187:80 -> 192.168.2.4:49746
                Source: Network trafficSuricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 34.229.166.50:80 -> 192.168.2.4:49769
                Source: Network trafficSuricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 34.229.166.50:80 -> 192.168.2.4:49769
                Source: Network trafficSuricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 13.213.51.196:80 -> 192.168.2.4:49795
                Source: Network trafficSuricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 13.213.51.196:80 -> 192.168.2.4:49795
                Source: Network trafficSuricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 52.11.240.239:80 -> 192.168.2.4:49710
                Source: Network trafficSuricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 52.11.240.239:80 -> 192.168.2.4:49710
                Source: Network trafficSuricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 18.142.91.111:80 -> 192.168.2.4:49779
                Source: Network trafficSuricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 18.142.91.111:80 -> 192.168.2.4:49779
                Source: Network trafficSuricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 52.43.119.120:80 -> 192.168.2.4:49752
                Source: Network trafficSuricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 52.43.119.120:80 -> 192.168.2.4:49752
                Source: Network trafficSuricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 54.85.87.184:80 -> 192.168.2.4:49753
                Source: Network trafficSuricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 52.26.80.133:80 -> 192.168.2.4:49787
                Source: Network trafficSuricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 54.85.87.184:80 -> 192.168.2.4:49753
                Source: Network trafficSuricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 52.26.80.133:80 -> 192.168.2.4:49787
                Source: Network trafficSuricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 52.212.150.54:80 -> 192.168.2.4:49802
                Source: Network trafficSuricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 52.212.150.54:80 -> 192.168.2.4:49802
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exeCode function: 0_2_004722EE InternetReadFile,InternetQueryDataAvailable,InternetReadFile,0_2_004722EE
                Source: global trafficHTTP traffic detected: GET /mqvmnujuhcpcx?usid=26&utid=11300861055 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Host: ww7.przvgke.biz
                Source: global trafficHTTP traffic detected: GET /lgcaujfqnffhjl?usid=26&utid=11300861172 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Host: ww7.przvgke.biz
                Source: global trafficHTTP traffic detected: GET /j422/?k07=pdZ8&LHjlQ=FUOfllrMHRVlL2mP9dpFtlJ7w5e63t2rBG4iChoHy9jO0xa6Gzw56eLBxdOIk/dIKvPqMZj+oWY7sauAPMCxWZArGu+MyfyU7LQKnbq/Om18e125mnYqe98= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Host: www.minimalbtc.xyzConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 UBrowser/5.4.4237.1024 Safari/537.36
                Source: global trafficHTTP traffic detected: GET /mwhvimeidcfs?usid=26&utid=11300867017 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Host: ww7.fwiwk.biz
                Source: global trafficHTTP traffic detected: GET /canbkxoppaq?usid=26&utid=11300867135 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Host: ww12.fwiwk.biz
                Source: global trafficHTTP traffic detected: GET /pyxq/?LHjlQ=voi6TgACTnyN5gbZYmU17u0h/VvpkraiSkSL1M3zbYGOCvXanSp74LpL3h0aAKQshQlyQ1kby8ogou9zAffBNKdsiowaI9GRahkqR5DXE2LnsscTpBmnflg=&k07=pdZ8 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Host: www.deepwork.cafeConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 UBrowser/5.4.4237.1024 Safari/537.36
                Source: global trafficHTTP traffic detected: GET /4udu/?LHjlQ=QPOxO2JOSBeIkdRIJ7kHfEfpa4SAwF/WxXvhpqosjTHM3PFGv2TE4R55nnK/GVLmYbqeoCZ32Sz0NtXBeMrpNSAZ0hCamPuf4pMsJIkclL+7GyT0E55kVqE=&k07=pdZ8 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Host: www.dresses-executive.sbsConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 UBrowser/5.4.4237.1024 Safari/537.36
                Source: global trafficHTTP traffic detected: GET /7bzp/?LHjlQ=aR6WdwHaaPmew49IGl9c2CyrORGhdUxKRjpfDDDEmaIVpXDnsjMmJ0s7T5q7/mJAEyjBMk5h7mx5tXd7udb6EMTlIvch2q9+PHlpJuVOHss5uOhsYNovhdM=&k07=pdZ8 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Host: www.dappbtc.xyzConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 UBrowser/5.4.4237.1024 Safari/537.36
                Source: global trafficHTTP traffic detected: GET /gwo6/?k07=pdZ8&LHjlQ=MBEKEv0ugpgWX2jua16KbRtCIB3s6ka+zKgBsYRR8c9E1EzqhBu48/qzeTOQx3bSOlhdcb/rXf0aputkyH2GEaaTMgSCSx6h1rRpE7wz+fc0QC+fndBMDtU= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Host: www.stakemask.xyzConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 UBrowser/5.4.4237.1024 Safari/537.36
                Source: global trafficHTTP traffic detected: GET /ksdo?usid=26&utid=11300878579 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Host: ww7.wxgzshna.biz
                Source: global trafficHTTP traffic detected: GET /ihsacjnkmvpjjh?usid=26&utid=11300878721 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Host: ww12.wxgzshna.biz
                Source: global trafficHTTP traffic detected: GET /bguu/?LHjlQ=wpZ2zrhVCI3JLgG0fmBBss6LPjHlWe1w/JFFDzKF+V7h32CQ3OMTdOkGE8NCHKIXe6YEJzSxYnSm/JZ2Z7T7gNAl4zG8Smso5QFplpDKnUXP2BcIMSrtmpg=&k07=pdZ8 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Host: www.agistaking.xyzConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 UBrowser/5.4.4237.1024 Safari/537.36
                Source: global trafficHTTP traffic detected: GET /rraxtlqchlhkkq?usid=26&utid=11300879482 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Host: ww7.htwqzczce.biz
                Source: global trafficHTTP traffic detected: GET /qhglahexvppoorb?usid=26&utid=11300879623 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Host: ww7.htwqzczce.biz
                Source: global trafficHTTP traffic detected: GET /9x20/?LHjlQ=lomPZfbkX5/Tg+6jmw8dyMDkjP4NXk0abi78pjf9+/jRa8r0UKnkgOsbdV67hnlDhoKnZ5+zibRYdRwwM6kGhJJ3GpxF1D+e7zNnDN/YPp88POfC8mTtY1w=&k07=pdZ8 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Host: www.publicblockchain.xyzConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 UBrowser/5.4.4237.1024 Safari/537.36
                Source: global trafficDNS traffic detected: DNS query: pywolwnvd.biz
                Source: global trafficDNS traffic detected: DNS query: ssbzmoy.biz
                Source: global trafficDNS traffic detected: DNS query: cvgrf.biz
                Source: global trafficDNS traffic detected: DNS query: npukfztj.biz
                Source: global trafficDNS traffic detected: DNS query: przvgke.biz
                Source: global trafficDNS traffic detected: DNS query: ww7.przvgke.biz
                Source: global trafficDNS traffic detected: DNS query: zlenh.biz
                Source: global trafficDNS traffic detected: DNS query: knjghuig.biz
                Source: global trafficDNS traffic detected: DNS query: uhxqin.biz
                Source: global trafficDNS traffic detected: DNS query: anpmnmxo.biz
                Source: global trafficDNS traffic detected: DNS query: lpuegx.biz
                Source: global trafficDNS traffic detected: DNS query: vjaxhpbji.biz
                Source: global trafficDNS traffic detected: DNS query: www.minimalbtc.xyz
                Source: global trafficDNS traffic detected: DNS query: xlfhhhm.biz
                Source: global trafficDNS traffic detected: DNS query: ifsaia.biz
                Source: global trafficDNS traffic detected: DNS query: saytjshyf.biz
                Source: global trafficDNS traffic detected: DNS query: vcddkls.biz
                Source: global trafficDNS traffic detected: DNS query: fwiwk.biz
                Source: global trafficDNS traffic detected: DNS query: ww7.fwiwk.biz
                Source: global trafficDNS traffic detected: DNS query: ww12.fwiwk.biz
                Source: global trafficDNS traffic detected: DNS query: tbjrpv.biz
                Source: global trafficDNS traffic detected: DNS query: deoci.biz
                Source: global trafficDNS traffic detected: DNS query: gytujflc.biz
                Source: global trafficDNS traffic detected: DNS query: qaynky.biz
                Source: global trafficDNS traffic detected: DNS query: bumxkqgxu.biz
                Source: global trafficDNS traffic detected: DNS query: dwrqljrr.biz
                Source: global trafficDNS traffic detected: DNS query: nqwjmb.biz
                Source: global trafficDNS traffic detected: DNS query: ytctnunms.biz
                Source: global trafficDNS traffic detected: DNS query: www.deepwork.cafe
                Source: global trafficDNS traffic detected: DNS query: myups.biz
                Source: global trafficDNS traffic detected: DNS query: oshhkdluh.biz
                Source: global trafficDNS traffic detected: DNS query: yunalwv.biz
                Source: global trafficDNS traffic detected: DNS query: jpskm.biz
                Source: global trafficDNS traffic detected: DNS query: lrxdmhrr.biz
                Source: global trafficDNS traffic detected: DNS query: wllvnzb.biz
                Source: global trafficDNS traffic detected: DNS query: gnqgo.biz
                Source: global trafficDNS traffic detected: DNS query: jhvzpcfg.biz
                Source: global trafficDNS traffic detected: DNS query: acwjcqqv.biz
                Source: global trafficDNS traffic detected: DNS query: lejtdj.biz
                Source: global trafficDNS traffic detected: DNS query: vyome.biz
                Source: global trafficDNS traffic detected: DNS query: yauexmxk.biz
                Source: global trafficDNS traffic detected: DNS query: www.dresses-executive.sbs
                Source: global trafficDNS traffic detected: DNS query: iuzpxe.biz
                Source: global trafficDNS traffic detected: DNS query: sxmiywsfv.biz
                Source: global trafficDNS traffic detected: DNS query: vrrazpdh.biz
                Source: global trafficDNS traffic detected: DNS query: ftxlah.biz
                Source: global trafficDNS traffic detected: DNS query: typgfhb.biz
                Source: global trafficDNS traffic detected: DNS query: esuzf.biz
                Source: global trafficDNS traffic detected: DNS query: gvijgjwkh.biz
                Source: global trafficDNS traffic detected: DNS query: qpnczch.biz
                Source: global trafficDNS traffic detected: DNS query: brsua.biz
                Source: global trafficDNS traffic detected: DNS query: dlynankz.biz
                Source: global trafficDNS traffic detected: DNS query: www.dappbtc.xyz
                Source: global trafficDNS traffic detected: DNS query: oflybfv.biz
                Source: global trafficDNS traffic detected: DNS query: yhqqc.biz
                Source: global trafficDNS traffic detected: DNS query: mnjmhp.biz
                Source: global trafficDNS traffic detected: DNS query: opowhhece.biz
                Source: global trafficDNS traffic detected: DNS query: zjbpaao.biz
                Source: global trafficDNS traffic detected: DNS query: jdhhbs.biz
                Source: global trafficDNS traffic detected: DNS query: mgmsclkyu.biz
                Source: global trafficDNS traffic detected: DNS query: warkcdu.biz
                Source: global trafficDNS traffic detected: DNS query: gcedd.biz
                Source: global trafficDNS traffic detected: DNS query: jwkoeoqns.biz
                Source: global trafficDNS traffic detected: DNS query: xccjj.biz
                Source: global trafficDNS traffic detected: DNS query: hehckyov.biz
                Source: global trafficDNS traffic detected: DNS query: rynmcq.biz
                Source: global trafficDNS traffic detected: DNS query: uaafd.biz
                Source: global trafficDNS traffic detected: DNS query: eufxebus.biz
                Source: global trafficDNS traffic detected: DNS query: www.stakemask.xyz
                Source: global trafficDNS traffic detected: DNS query: pwlqfu.biz
                Source: global trafficDNS traffic detected: DNS query: rrqafepng.biz
                Source: global trafficDNS traffic detected: DNS query: ctdtgwag.biz
                Source: global trafficDNS traffic detected: DNS query: tnevuluw.biz
                Source: global trafficDNS traffic detected: DNS query: whjovd.biz
                Source: global trafficDNS traffic detected: DNS query: gjogvvpsf.biz
                Source: global trafficDNS traffic detected: DNS query: reczwga.biz
                Source: global trafficDNS traffic detected: DNS query: bghjpy.biz
                Source: global trafficDNS traffic detected: DNS query: damcprvgv.biz
                Source: global trafficDNS traffic detected: DNS query: ocsvqjg.biz
                Source: global trafficDNS traffic detected: DNS query: ywffr.biz
                Source: global trafficDNS traffic detected: DNS query: ecxbwt.biz
                Source: global trafficDNS traffic detected: DNS query: www.agistaking.xyz
                Source: global trafficDNS traffic detected: DNS query: pectx.biz
                Source: global trafficDNS traffic detected: DNS query: zyiexezl.biz
                Source: global trafficDNS traffic detected: DNS query: banwyw.biz
                Source: global trafficDNS traffic detected: DNS query: muapr.biz
                Source: global trafficDNS traffic detected: DNS query: wxgzshna.biz
                Source: global trafficDNS traffic detected: DNS query: ww7.wxgzshna.biz
                Source: global trafficDNS traffic detected: DNS query: ww12.wxgzshna.biz
                Source: global trafficDNS traffic detected: DNS query: zrlssa.biz
                Source: global trafficDNS traffic detected: DNS query: jlqltsjvh.biz
                Source: global trafficDNS traffic detected: DNS query: xyrgy.biz
                Source: global trafficDNS traffic detected: DNS query: htwqzczce.biz
                Source: global trafficDNS traffic detected: DNS query: ww7.htwqzczce.biz
                Source: global trafficDNS traffic detected: DNS query: kvbjaur.biz
                Source: global trafficDNS traffic detected: DNS query: uphca.biz
                Source: global trafficDNS traffic detected: DNS query: fjumtfnz.biz
                Source: global trafficDNS traffic detected: DNS query: hlzfuyy.biz
                Source: global trafficDNS traffic detected: DNS query: rffxu.biz
                Source: global trafficDNS traffic detected: DNS query: www.leadmagnetkpis.shop
                Source: unknownHTTP traffic detected: POST /rfjtdgqx HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: pywolwnvd.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 852
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.0 (Ubuntu)Date: Wed, 19 Mar 2025 07:56:56 GMTContent-Type: text/htmlContent-Length: 580Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.0 (Ubuntu)Date: Wed, 19 Mar 2025 07:56:56 GMTContent-Type: text/htmlContent-Length: 580Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.0 (Ubuntu)Date: Wed, 19 Mar 2025 07:57:05 GMTContent-Type: text/htmlContent-Length: 580Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.0 (Ubuntu)Date: Wed, 19 Mar 2025 07:57:06 GMTContent-Type: text/htmlContent-Length: 580Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/plain; charset=utf-8X-Content-Type-Options: nosniffDate: Wed, 19 Mar 2025 07:57:28 GMTContent-Length: 19Data Raw: 34 30 34 20 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 0a Data Ascii: 404 page not found
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/plain; charset=utf-8X-Content-Type-Options: nosniffDate: Wed, 19 Mar 2025 07:57:28 GMTContent-Length: 19Data Raw: 34 30 34 20 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 0a Data Ascii: 404 page not found
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.0 (Ubuntu)Date: Wed, 19 Mar 2025 07:57:53 GMTContent-Type: text/htmlContent-Length: 580Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.0 (Ubuntu)Date: Wed, 19 Mar 2025 07:57:53 GMTContent-Type: text/htmlContent-Length: 580Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.0 (Ubuntu)Date: Wed, 19 Mar 2025 07:57:53 GMTContent-Type: text/htmlContent-Length: 580Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                Source: Request for Quotation 2170032137 PDF.exe, 00000000.00000002.1162966240.0000000000C12000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1560613321.000000000092F000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1237469705.000000000092F000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1237469705.0000000000938000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1582012563.000000000092F000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1560613321.0000000000938000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://13.213.51.196/
                Source: armsvc.exe, 00000001.00000003.1186992058.0000000000938000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://13.213.51.196/0A
                Source: Request for Quotation 2170032137 PDF.exe, 00000000.00000002.1162966240.0000000000C12000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1237469705.0000000000938000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1560613321.0000000000938000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://13.213.51.196/2
                Source: armsvc.exe, 00000001.00000003.1560613321.0000000000938000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://13.213.51.196/29A
                Source: armsvc.exe, 00000001.00000003.1237469705.0000000000938000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://13.213.51.196/2jA
                Source: armsvc.exe, 00000001.00000003.1560613321.0000000000938000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://13.213.51.196/7A
                Source: armsvc.exe, 00000001.00000003.1186992058.000000000092F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://13.213.51.196/N
                Source: armsvc.exe, 00000001.00000003.1186992058.0000000000938000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://13.213.51.196/aA
                Source: armsvc.exe, 00000001.00000003.1749786942.0000000000959000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://13.213.51.196/cawykoai
                Source: armsvc.exe, 00000001.00000003.1360315784.0000000000938000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1237469705.0000000000938000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1482871481.0000000000938000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://13.213.51.196/fsjnnvpccrd
                Source: armsvc.exe, 00000001.00000003.1186992058.0000000000938000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://13.213.51.196/mxsykvrwmaxxtlj
                Source: armsvc.exe, 00000001.00000003.1186992058.0000000000938000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://13.213.51.196/mxsykvrwmaxxtljFE
                Source: armsvc.exe, 00000001.00000003.1186992058.0000000000938000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://13.213.51.196/mxsykvrwmaxxtljRE
                Source: armsvc.exe, 00000001.00000003.1561097272.0000000000968000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1560613321.0000000000938000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://13.213.51.196/qeihckogtirkd
                Source: armsvc.exe, 00000001.00000003.1560613321.0000000000938000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://13.213.51.196/qeihckogtirkdlE
                Source: Request for Quotation 2170032137 PDF.exe, 00000000.00000002.1163263435.0000000000CE0000.00000004.00000020.00020000.00000000.sdmp, Request for Quotation 2170032137 PDF.exe, 00000000.00000002.1162966240.0000000000C12000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://13.213.51.196/yimcr
                Source: Request for Quotation 2170032137 PDF.exe, 00000000.00000002.1162841878.0000000000BB8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://13.213.51.196:80/yimcr1
                Source: armsvc.exe, 00000001.00000003.1684983703.0000000000938000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1695641462.0000000000938000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://165.160.13.20/
                Source: armsvc.exe, 00000001.00000003.1684983703.0000000000938000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://165.160.13.20/mjlgxahuwwe
                Source: armsvc.exe, 00000001.00000003.1684983703.000000000099C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://165.160.13.20/mjlgxahuwweH
                Source: armsvc.exe, 00000001.00000003.1684983703.0000000000938000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://165.160.13.20/mjlgxahuwwegsRE
                Source: armsvc.exe, 00000001.00000003.1684983703.0000000000938000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1695641462.0000000000938000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://165.160.13.20/u
                Source: armsvc.exe, 00000001.00000003.1684983703.0000000000938000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1695641462.0000000000938000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://165.160.13.20/ueF
                Source: armsvc.exe, 00000001.00000003.1631029693.000000000092F000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1535382759.000000000092F000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1631029693.0000000000938000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1544561375.0000000000938000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1535382759.0000000000938000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://18.142.91.111/
                Source: armsvc.exe, 00000001.00000003.1631029693.0000000000938000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1544561375.0000000000938000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1560613321.0000000000938000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1535382759.0000000000938000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://18.142.91.111/2
                Source: armsvc.exe, 00000001.00000003.1631029693.0000000000938000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://18.142.91.111/r
                Source: armsvc.exe, 00000001.00000003.1544038958.0000000000958000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1536593064.0000000000959000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1535382759.000000000094E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://18.142.91.111/xtu
                Source: armsvc.exe, 00000001.00000003.1536789511.0000000000967000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1536256943.0000000000965000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1535382759.000000000094E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://18.142.91.111/xtu(
                Source: armsvc.exe, 00000001.00000003.1631029693.0000000000938000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1613790975.0000000000938000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1639354677.0000000000938000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://208.117.43.225/
                Source: armsvc.exe, 00000001.00000003.1613790975.0000000000938000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://208.117.43.225/aA
                Source: armsvc.exe, 00000001.00000003.1723530077.0000000000959000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1710973101.0000000000959000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1734162018.0000000000959000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://208.117.43.225/gvyhjtokwdpgrf
                Source: armsvc.exe, 00000001.00000003.1613790975.0000000000938000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://208.117.43.225/jA
                Source: armsvc.exe, 00000001.00000003.1615755931.0000000000958000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1631029693.000000000094E000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1631930709.0000000000958000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1613790975.000000000094E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://208.117.43.225/mfu
                Source: armsvc.exe, 00000001.00000003.1615755931.0000000000958000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1631029693.000000000094E000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1631930709.0000000000958000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1613790975.000000000094E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://208.117.43.225/mfuhp
                Source: armsvc.exe, 00000001.00000003.1205489687.0000000000938000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1560613321.000000000092F000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1613790975.000000000092F000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1237469705.000000000092F000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1535382759.000000000092F000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1360315784.0000000000930000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1482871481.0000000000930000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1603391238.000000000092F000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1544561375.000000000092F000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1544561375.0000000000938000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1594315416.000000000092F000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1505508107.000000000092F000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1582012563.000000000092F000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1205489687.000000000092F000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1220928824.000000000092F000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1639354677.0000000000938000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://3.229.117.57/
                Source: armsvc.exe, 00000001.00000003.1639354677.0000000000938000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://3.229.117.57//
                Source: armsvc.exe, 00000001.00000003.1205489687.0000000000938000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://3.229.117.57/12MA
                Source: armsvc.exe, 00000001.00000003.1639354677.000000000092F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://3.229.117.57/T
                Source: armsvc.exe, 00000001.00000003.1651548333.000000000094E000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1639354677.0000000000938000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://3.229.117.57/fuxecuurglanp
                Source: armsvc.exe, 00000001.00000003.1639354677.0000000000938000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://3.229.117.57/fuxecuurglanpgs
                Source: armsvc.exe, 00000001.00000003.1850207687.0000000000970000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1783244281.000000000096E000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1796309787.0000000000970000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1802582465.0000000000970000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1820693185.0000000000970000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1781889740.000000000095D000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1838371525.0000000000970000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://3.229.117.57/kuuibbxqjxtxyu
                Source: armsvc.exe, 00000001.00000003.1205489687.0000000000938000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://3.229.117.57/to
                Source: armsvc.exe, 00000001.00000003.1205489687.0000000000938000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://3.229.117.57/xto
                Source: armsvc.exe, 00000001.00000003.1615755931.0000000000958000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1613790975.000000000092F000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1631029693.000000000092F000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1603391238.000000000092F000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1651548333.000000000092F000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1605929496.0000000000958000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1639354677.000000000092F000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1672612899.000000000092F000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1603391238.000000000094E000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1663418164.000000000092F000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1613790975.000000000094E000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1676599254.0000000000930000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://34.229.166.50/
                Source: armsvc.exe, 00000001.00000003.1603391238.0000000000938000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://34.229.166.50/2jA
                Source: armsvc.exe, 00000001.00000003.1605929496.0000000000958000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1603391238.000000000094E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://34.229.166.50/pnido
                Source: armsvc.exe, 00000001.00000003.1604680007.0000000000966000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://34.229.166.50/pnido/3.43.
                Source: armsvc.exe, 00000001.00000003.1605929496.0000000000958000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1603391238.000000000094E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://34.229.166.50/pnidoKp
                Source: armsvc.exe, 00000001.00000003.1594315416.0000000000938000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://34.245.175.187/
                Source: armsvc.exe, 00000001.00000003.1594315416.000000000092F000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1594315416.0000000000938000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://34.245.175.187/rdhkpcoqcurgmwew
                Source: armsvc.exe, 00000001.00000003.1595109039.0000000000965000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1594315416.000000000094E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://34.245.175.187/t
                Source: Request for Quotation 2170032137 PDF.exe, 00000000.00000002.1162966240.0000000000C02000.00000004.00000020.00020000.00000000.sdmp, Request for Quotation 2170032137 PDF.exe, 00000000.00000002.1162841878.0000000000BB8000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1195543789.000000000092F000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1651548333.000000000092F000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1695641462.0000000000938000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1695641462.000000000092F000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1205489687.000000000092F000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1663418164.000000000092F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://52.11.240.239/
                Source: armsvc.exe, 00000001.00000003.1195543789.000000000092F000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1167990228.0000000000930000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1186992058.000000000092F000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1205489687.000000000092F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://52.11.240.239/&
                Source: armsvc.exe, 00000001.00000003.1195543789.0000000000938000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1695641462.0000000000938000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://52.11.240.239/2
                Source: armsvc.exe, 00000001.00000003.1695641462.0000000000938000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://52.11.240.239/2aA
                Source: armsvc.exe, 00000001.00000003.1695641462.0000000000938000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://52.11.240.239/2jA
                Source: armsvc.exe, 00000001.00000003.1651548333.0000000000938000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://52.11.240.239/9A
                Source: armsvc.exe, 00000001.00000003.1698249565.0000000000959000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1695641462.000000000094E000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1696996216.0000000000958000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://52.11.240.239/dqugatmoso
                Source: armsvc.exe, 00000001.00000003.1195388799.000000000094E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://52.11.240.239/jnprajv
                Source: Request for Quotation 2170032137 PDF.exe, 00000000.00000002.1162966240.0000000000C02000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://52.11.240.239/l
                Source: armsvc.exe, 00000001.00000003.1167990228.0000000000938000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://52.11.240.239/xA
                Source: armsvc.exe, 00000001.00000003.1723530077.0000000000959000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://52.26.80.133/yhmkjadkpr
                Source: armsvc.exe, 00000001.00000003.1663418164.0000000000938000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1672612899.000000000092F000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1663418164.000000000092F000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1676599254.0000000000930000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://52.43.119.120/
                Source: armsvc.exe, 00000001.00000003.1663418164.0000000000938000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://52.43.119.120/2
                Source: armsvc.exe, 00000001.00000003.1663418164.0000000000938000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://52.43.119.120/27A
                Source: armsvc.exe, 00000001.00000003.1663418164.0000000000938000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://52.43.119.120/9A
                Source: armsvc.exe, 00000001.00000003.1663418164.000000000094E000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1665806136.0000000000958000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://52.43.119.120/rncroti
                Source: armsvc.exe, 00000001.00000003.1505508107.0000000000938000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1505508107.000000000092F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://54.169.144.97/
                Source: armsvc.exe, 00000001.00000003.1505508107.0000000000938000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://54.169.144.97/aA
                Source: armsvc.exe, 00000001.00000003.1505893986.0000000000965000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1505385802.0000000000958000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://54.169.144.97:80/wfhwbqo
                Source: armsvc.exe, 00000001.00000003.1676599254.0000000000938000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1672612899.000000000092F000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1695641462.000000000092F000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1684983703.000000000092F000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1672612899.0000000000938000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1676599254.0000000000930000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://54.85.87.184/
                Source: armsvc.exe, 00000001.00000003.1672612899.0000000000938000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://54.85.87.184/12
                Source: armsvc.exe, 00000001.00000003.1672612899.000000000092F000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1695641462.000000000092F000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1684983703.000000000092F000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1672612899.0000000000938000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1676599254.0000000000930000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://54.85.87.184/b
                Source: armsvc.exe, 00000001.00000003.1582012563.0000000000938000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://72.52.178.23/
                Source: armsvc.exe, 00000001.00000003.1220928824.0000000000938000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://72.52.178.23/12
                Source: armsvc.exe, 00000001.00000003.1220928824.0000000000938000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://72.52.178.23/lgcaujfqnffhjl
                Source: armsvc.exe, 00000001.00000003.1220928824.0000000000938000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://72.52.178.23/mqvmnujuhcpcx
                Source: armsvc.exe, 00000001.00000003.1220928824.0000000000938000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://72.52.178.23/mqvmnujuhcpcx6alE
                Source: armsvc.exe, 00000001.00000003.1582012563.0000000000938000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://72.52.178.23/mwhvimeidcfs
                Source: armsvc.exe, 00000001.00000003.1583198646.0000000000958000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1582012563.000000000094E000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1595109039.0000000000965000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1604680007.0000000000966000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1594315416.000000000094E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://82.112.
                Source: armsvc.exe, 00000001.00000003.1360315784.0000000000938000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1482871481.0000000000938000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://82.112.184.197/
                Source: armsvc.exe, 00000001.00000003.1482871481.0000000000938000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://82.112.184.197/aA
                Source: armsvc.exe, 00000001.00000003.1544038958.0000000000968000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1505893986.0000000000965000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1505508107.0000000000938000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1484783444.0000000000968000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1536789511.0000000000967000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1536256943.0000000000965000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1544561375.0000000000938000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1561097272.0000000000968000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1535382759.0000000000938000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1505385802.0000000000958000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1482871481.0000000000938000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1535382759.000000000094E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://82.112.184.197/doecogaamdbjjf
                Source: armsvc.exe, 00000001.00000003.1505508107.0000000000938000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1544561375.0000000000938000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1535382759.0000000000938000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1482871481.0000000000938000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://82.112.184.197/doecogaamdbjjfFE
                Source: armsvc.exe, 00000001.00000003.1505508107.0000000000938000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1482871481.0000000000938000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://82.112.184.197/kwegyfuiasxdksht
                Source: armsvc.exe, 00000001.00000003.1632813496.0000000000966000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1615021119.0000000000966000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1631029693.0000000000966000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1360315784.0000000000938000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1640708653.000000000095F000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1583198646.0000000000958000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1582012563.000000000094E000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1595109039.0000000000965000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1641446284.000000000096B000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1604680007.0000000000966000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1594315416.000000000094E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://82.112.184.197/oxmcmifekqcl
                Source: armsvc.exe, 00000001.00000003.1544038958.0000000000968000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1360852775.0000000000967000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1505893986.0000000000965000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1484783444.0000000000968000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1536789511.0000000000967000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1536256943.0000000000965000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1360042455.000000000094E000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1360672424.0000000000965000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1561097272.0000000000968000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1505385802.0000000000958000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1535382759.000000000094E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://82.112.184.197/oxmcmifekqcl$4(
                Source: armsvc.exe, 00000001.00000003.1360315784.0000000000938000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://82.112.184.197/oxmcmifekqcls
                Source: armsvc.exe, 00000001.00000003.1639354677.000000000092F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://bumxkqgxu.biz/
                Source: armsvc.exe, 00000001.00000003.1651548333.000000000092F000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1663418164.000000000092F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dwrqljrr.biz/
                Source: armsvc.exe, 00000001.00000003.1783244281.00000000009BA000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1850207687.00000000009BA000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1802582465.00000000009BA000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1796309787.00000000009BA000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1820693185.00000000009BA000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1757586668.00000000009BA000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1766809679.00000000009BA000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1838371525.00000000009BA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://gnqgo.biz/f
                Source: armsvc.exe, 00000001.00000003.1535382759.000000000092F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ifsaia.biz/
                Source: armsvc.exe, 00000001.00000003.1751005511.00000000009BA000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1733808637.00000000009BA000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1749561088.00000000009BA000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1723251881.00000000009BA000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1757586668.00000000009BA000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1766809679.00000000009BA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://jpskm.biz/
                Source: armsvc.exe, 00000001.00000003.1237469705.000000000092F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://knjghuig.biz/
                Source: armsvc.exe, 00000001.00000003.1672612899.000000000092F000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1663418164.000000000092F000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1676599254.0000000000930000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://nqwjmb.biz/T
                Source: armsvc.exe, 00000001.00000003.1695641462.000000000092F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://oshhkdluh.biz/
                Source: Request for Quotation 2170032137 PDF.exe, 00000000.00000002.1162841878.0000000000BB8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://pywolwnvd.biz/p4
                Source: armsvc.exe, 00000001.00000003.1631029693.000000000092F000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1639354677.000000000092F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://qaynky.biz//
                Source: armsvc.exe, 00000001.00000003.1560613321.000000000092F000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1613790975.000000000092F000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1631029693.000000000092F000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1603391238.000000000092F000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1651548333.000000000092F000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1639354677.000000000092F000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1544561375.000000000092F000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1594315416.000000000092F000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1582012563.000000000092F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://saytjshyf.biz/
                Source: armsvc.exe, 00000001.00000003.1195543789.000000000092F000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1186992058.000000000092F000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1205489687.000000000092F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ssbzmoy.biz/
                Source: armsvc.exe, 00000001.00000003.1603391238.000000000092F000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1594315416.000000000092F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://tbjrpv.biz/
                Source: armsvc.exe, 00000001.00000003.1850207687.00000000009BA000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1802582465.00000000009BA000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1796309787.00000000009BA000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1820693185.00000000009BA000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1838371525.00000000009BA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://vyome.biz/
                Source: armsvc.exe, 00000001.00000003.1582012563.0000000000938000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1603391238.0000000000938000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1594315416.0000000000938000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ww12.fwiwk.biz/
                Source: armsvc.exe, 00000001.00000003.1803271187.0000000000960000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1615755931.0000000000958000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1595487253.0000000000958000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1632813496.000000000095D000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1749786942.0000000000959000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1684983703.000000000094E000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1723530077.0000000000959000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1673713811.0000000000958000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1698249565.0000000000959000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1788047786.000000000095D000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1686304134.0000000000958000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1640708653.000000000095F000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1652998555.0000000000958000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1663418164.000000000094E000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1695641462.000000000094E000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1583198646.0000000000958000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1674667479.0000000000961000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1710973101.0000000000959000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1631029693.000000000094E000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1605929496.0000000000958000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1582012563.000000000094E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ww12.fwiwk.biz/canbkxoppaq?usid=26&utid=11300867135
                Source: armsvc.exe, 00000001.00000003.1803271187.0000000000960000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1615755931.0000000000958000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1595487253.0000000000958000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1632813496.000000000095D000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1749786942.0000000000959000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1684983703.000000000094E000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1723530077.0000000000959000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1673713811.0000000000958000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1698249565.0000000000959000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1788047786.000000000095D000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1686304134.0000000000958000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1640708653.000000000095F000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1652998555.0000000000958000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1663418164.000000000094E000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1695641462.000000000094E000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1583198646.0000000000958000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1674667479.0000000000961000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1710973101.0000000000959000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1631029693.000000000094E000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1605929496.0000000000958000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1582012563.000000000094E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ww7.fwiwk.biz/mwhvimeidcfs?usid=26&utid=11300867017
                Source: armsvc.exe, 00000001.00000003.1220928824.0000000000938000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ww7.przvgke.biz/
                Source: armsvc.exe, 00000001.00000003.1803271187.0000000000960000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1615755931.0000000000958000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1220928824.000000000094E000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1595487253.0000000000958000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1632813496.000000000095D000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1749786942.0000000000959000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1684983703.000000000094E000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1723530077.0000000000959000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1673713811.0000000000958000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1698249565.0000000000959000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1788047786.000000000095D000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1544038958.0000000000958000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1686304134.0000000000958000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1640708653.000000000095F000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1652998555.0000000000958000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1663418164.000000000094E000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1695641462.000000000094E000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1583198646.0000000000958000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1674667479.0000000000961000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1710973101.0000000000959000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1560613321.000000000094E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ww7.przvgke.biz/lgcaujfqnffhjl?usid=26&utid=11300861172
                Source: armsvc.exe, 00000001.00000003.1220928824.000000000094E000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1595487253.0000000000958000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1632813496.000000000095D000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1221585788.0000000000966000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1749786942.0000000000959000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1684983703.000000000094E000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1237469705.000000000092F000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1723530077.0000000000959000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1673713811.0000000000958000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1698249565.0000000000959000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1788047786.000000000095D000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1544038958.0000000000958000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1686304134.0000000000958000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1640708653.000000000095F000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1237469705.0000000000966000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1652998555.0000000000958000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1663418164.000000000094E000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1695641462.000000000094E000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1583198646.0000000000958000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1674667479.0000000000961000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1710973101.0000000000959000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ww7.przvgke.biz/mqvmnujuhcpcx?usid=26&utid=11300861055
                Source: armsvc.exe, 00000001.00000003.1220928824.000000000094E000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1222637020.000000000094E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ww7.przvgke.biz/mqvmnujuhcpcx?usid=26&utid=11300861055LocationETagAuthentication-InfoAgeAccep
                Source: Au3Info_x64.exe.1.drString found in binary or memory: http://www.autoitscript.com/autoit3/
                Source: Au3Info_x64.exe.1.drString found in binary or memory: http://www.autoitscript.com/autoit3/8
                Source: JHafvhydouNovF.exe, 00000023.00000002.2467620602.0000000004A67000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.leadmagnetkpis.shop
                Source: JHafvhydouNovF.exe, 00000023.00000002.2467620602.0000000004A67000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.leadmagnetkpis.shop/gtvh/
                Source: armsvc.exe, 00000001.00000003.1508945040.0000000001AB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.winimage.com/zLibDll
                Source: armsvc.exe, 00000001.00000003.1560613321.000000000092F000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1535382759.000000000092F000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1544561375.000000000092F000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1505508107.000000000092F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://xlfhhhm.biz/T
                Source: armsvc.exe, 00000001.00000003.1672612899.000000000092F000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1684983703.000000000092F000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1676599254.0000000000930000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ytctnunms.biz/
                Source: mfpmp.exe, 0000000F.00000003.1542851385.0000000007CDE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org?q=
                Source: mfpmp.exe, 0000000F.00000003.1542851385.0000000007CDE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                Source: mfpmp.exe, 0000000F.00000003.1542851385.0000000007CDE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                Source: mfpmp.exe, 0000000F.00000003.1542851385.0000000007CDE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                Source: Acrobat.exe.1.drString found in binary or memory: https://clients2.google.com/service/update2/crxBrowser
                Source: armsvc.exe, 00000001.00000003.1562880880.0000000001AC0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://clients2.google.com/service/update2/crxFailed
                Source: armsvc.exe, 00000001.00000003.1564025626.0000000001AC0000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1563769551.0000000001AC0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://clients2.google.com/service/update2/crxHKEY_LOCAL_MACHINE
                Source: Acrobat.exe.1.drString found in binary or memory: https://crbug.com/820996
                Source: Acrobat.exe.1.drString found in binary or memory: https://crbug.com/820996LaunchElevatedProcessdisable-best-effort-tasksdisable-breakpaddisable-featur
                Source: mfpmp.exe, 0000000F.00000003.1542851385.0000000007CDE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                Source: mfpmp.exe, 0000000F.00000003.1542851385.0000000007CDE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtabv20
                Source: mfpmp.exe, 0000000F.00000003.1542851385.0000000007CDE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                Source: mfpmp.exe, 0000000F.00000003.1542851385.0000000007CDE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://gemini.google.com/app?q=
                Source: notification_click_helper.exe.1.drString found in binary or memory: https://github.com/pq-crystals/kyber/commit/28413dfbf523fdde181246451c2bd77199c0f7ff
                Source: notification_click_helper.exe.1.drString found in binary or memory: https://github.com/pq-crystals/kyber/commit/28413dfbf523fdde181246451c2bd77199c0f7ffDilithium2Dilith
                Source: mfpmp.exe, 0000000F.00000002.2419863216.0000000002D09000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
                Source: mfpmp.exe, 0000000F.00000002.2419863216.0000000002CE6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
                Source: mfpmp.exe, 0000000F.00000002.2419863216.0000000002CE6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
                Source: mfpmp.exe, 0000000F.00000003.1532386082.0000000007CB7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
                Source: AutoIt3Help.exe.1.drString found in binary or memory: https://www.autoitscript.com/site/autoit/8
                Source: mfpmp.exe, 0000000F.00000003.1542851385.0000000007CDE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/v20
                Source: armsvc.exe, 00000001.00000003.1632813496.0000000000966000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1615021119.0000000000966000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1216541854.0000000001AC0000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1631029693.0000000000966000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1221585788.0000000000966000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1684983703.000000000094E000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1216461117.0000000002080000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1360852775.0000000000967000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1673713811.0000000000958000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1572505008.0000000002010000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1686304134.0000000000958000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1640708653.000000000095F000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1237469705.0000000000966000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1652998555.0000000000958000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1663418164.000000000094E000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1583198646.0000000000958000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1674667479.0000000000961000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1582012563.000000000094E000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1595109039.0000000000965000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1672612899.000000000094E000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1360042455.000000000094E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com
                Source: mfpmp.exe, 0000000F.00000003.1542851385.0000000007CDE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_alldp.ico
                Source: C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exeCode function: 0_2_00474164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_00474164
                Source: C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exeCode function: 0_2_00474164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_00474164
                Source: C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exeCode function: 0_2_00473F66 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_00473F66
                Source: C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exeCode function: 0_2_0046001C GetKeyboardState,SetKeyboardState,GetAsyncKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,0_2_0046001C
                Source: C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exeCode function: 0_2_0048CABC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_0048CABC

                E-Banking Fraud

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000F.00000002.2452791922.0000000002DF0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1319122745.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000002.2453998718.0000000002E40000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1321465488.0000000003C00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000023.00000002.2467620602.00000000049F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000002.2405286920.0000000002820000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000D.00000002.2454038999.0000000002CB0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1319902942.0000000003360000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

                Spam, unwanted Advertisements and Ransom Demands

                barindex
                Deletes shadow drive data (may be related to ransomware)
                Source: VSSVC.exe.1.drBinary or memory string: Key with path %p\%s not foundRecursiveDeleteKeySHDeleteKey(%p,%s)CVssCoordinator::QueryCORQRYCbase\stor\vss\modules\coord\src\query.cxxParameters: QueriedObjectId = {%.8x-%.4x-%.4x-%.2x%.2x-%.2x%.2x%.2x%.2x%.2x%.2x}, eQueriedObjectType = %d, eReturnedObjectsType = %d, ppEnum = %pInvalid QueriedObjectIdInvalid eQueriedObjectTypeInvalid eReturnedObjectsTypeNULL ppEnumMemory allocation error.Error calling Query(). [0x%08lx]Cannot create enumerator instance. [0x%08lx]CVssAdmin::QueryProvidersParameters: ppEnum = %pCVssSnasphotSetIdObserver::CVssSnasphotSetIdObserverCVssSnasphotSetIdObserver::~CVssSnasphotSetIdObserverCVssSnasphotSetIdObserver::StartRecordingCVssSnasphotSetIdObserver::StopRecordingStartRecording was not called successfullyCVssSnasphotSetIdObserver::IsRecordedCVssSnasphotSetIdObserver::BroadcastSSIDCVssSnasphotSetIdObserver::RecordSSIDCVssDLList<class CVssSnasphotSetIdObserver *>::AddVssBuildEnumInterfaceINCENUMHbase\stor\vss\inc\enum.hxxCannot initialize enumerator instance. [0x%08lx]Error querying the <IEnumInterface> interface with GUID {%.8x-%.4x-%.4x-%.2x%.2x-%.2x%.2x%.2x%.2x%.2x%.2x}. hr = 0x%08lx

                System Summary

                barindex
                Binary is likely a compiled AutoIt script file
                Source: C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exeCode function: This is a third-party compiled AutoIt script.0_2_00403B3A
                Source: Request for Quotation 2170032137 PDF.exeString found in binary or memory: This is a third-party compiled AutoIt script.
                Source: Request for Quotation 2170032137 PDF.exe, 00000000.00000000.1139458329.00000000004B4000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_aee06f1b-7
                Source: Request for Quotation 2170032137 PDF.exe, 00000000.00000000.1139458329.00000000004B4000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_2cd7430b-3
                Source: Request for Quotation 2170032137 PDF.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_8ae7be46-9
                Source: Request for Quotation 2170032137 PDF.exeString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_bf7a8803-3
                Initial sample is a PE file and has a suspicious name
                Source: initial sampleStatic PE information: Filename: Request for Quotation 2170032137 PDF.exe
                Source: C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exeCode function: 0_2_00A98140 SetFilePointerEx,_strlen,_strlen,_strlen,CloseHandle,OpenProcessToken,GetCurrentProcess,GetTokenInformation,GetLastError,WriteFile,ReadFile,SetFilePointerEx,GetEnvironmentVariableW,_wcslen,GetTempPathW,wsprintfW,GetTickCount,GetFileSizeEx,CreateFileW,CloseHandle,GetTickCount,RtlAdjustPrivilege,NtQuerySystemInformation,RtlInitUnicodeString,RtlEqualUnicodeString,NtOpenThread,NtImpersonateThread,NtOpenThreadTokenEx,NtAdjustPrivilegesToken,NtClose,NtClose,RtlExitUserThread,0_2_00A98140
                Source: C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exeCode function: 0_2_0046A1EF: GetFullPathNameW,__swprintf,CreateDirectoryW,CreateFileW,_memset,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,0_2_0046A1EF
                Source: C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exeCode function: 0_2_00458310 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_00458310
                Source: C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exeCode function: 0_2_004651BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_004651BD
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\d610b5edf7fcdce6.binJump to behavior
                Source: C:\Windows\System32\wbengine.exeFile created: C:\Windows\Logs\WindowsBackup
                Source: C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exeCode function: 0_2_0040E6A00_2_0040E6A0
                Source: C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exeCode function: 0_2_0042D9750_2_0042D975
                Source: C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exeCode function: 0_2_0040FCE00_2_0040FCE0
                Source: C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exeCode function: 0_2_004221C50_2_004221C5
                Source: C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exeCode function: 0_2_004362D20_2_004362D2
                Source: C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exeCode function: 0_2_004803DA0_2_004803DA
                Source: C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exeCode function: 0_2_0043242E0_2_0043242E
                Source: C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exeCode function: 0_2_004225FA0_2_004225FA
                Source: C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exeCode function: 0_2_0045E6160_2_0045E616
                Source: C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exeCode function: 0_2_004166E10_2_004166E1
                Source: C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exeCode function: 0_2_0043878F0_2_0043878F
                Source: C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exeCode function: 0_2_004368440_2_00436844
                Source: C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exeCode function: 0_2_004808570_2_00480857
                Source: C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exeCode function: 0_2_004188080_2_00418808
                Source: C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exeCode function: 0_2_004688890_2_00468889
                Source: C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exeCode function: 0_2_0042CB210_2_0042CB21
                Source: C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exeCode function: 0_2_00522CC80_2_00522CC8
                Source: C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exeCode function: 0_2_00436DB60_2_00436DB6
                Source: C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exeCode function: 0_2_00416F9E0_2_00416F9E
                Source: C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exeCode function: 0_2_004130300_2_00413030
                Source: C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exeCode function: 0_2_0042F1D90_2_0042F1D9
                Source: C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exeCode function: 0_2_004231870_2_00423187
                Source: C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exeCode function: 0_2_004012870_2_00401287
                Source: C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exeCode function: 0_2_004214840_2_00421484
                Source: C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exeCode function: 0_2_004155200_2_00415520
                Source: C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exeCode function: 0_2_004276960_2_00427696
                Source: C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exeCode function: 0_2_004157600_2_00415760
                Source: C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exeCode function: 0_2_004219780_2_00421978
                Source: C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exeCode function: 0_2_00487DDB0_2_00487DDB
                Source: C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exeCode function: 0_2_00421D900_2_00421D90
                Source: C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exeCode function: 0_2_0042BDA60_2_0042BDA6
                Source: C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exeCode function: 0_2_0040DF000_2_0040DF00
                Source: C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exeCode function: 0_2_00413FE00_2_00413FE0
                Source: C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exeCode function: 0_2_00A981400_2_00A98140
                Source: C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exeCode function: 0_2_00A962E00_2_00A962E0
                Source: C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exeCode function: 0_2_00A9A3500_2_00A9A350
                Source: C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exeCode function: 0_2_00A9B6DE0_2_00A9B6DE
                Source: C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exeCode function: 0_2_00ACF0800_2_00ACF080
                Source: C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exeCode function: 0_2_00ABE5700_2_00ABE570
                Source: C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exeCode function: 0_2_00AD47660_2_00AD4766
                Source: C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exeCode function: 0_2_00AA0A100_2_00AA0A10
                Source: C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exeCode function: 0_2_00ACCB100_2_00ACCB10
                Source: C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exeCode function: 0_2_00AA0B700_2_00AA0B70
                Source: C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exeCode function: 0_2_00ACBD800_2_00ACBD80
                Source: C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exeCode function: 0_2_00AC2D100_2_00AC2D10
                Source: C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exeCode function: 0_2_00A97E700_2_00A97E70
                Source: C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exeCode function: 0_2_00AD2F330_2_00AD2F33
                Source: C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exeCode function: 0_2_00AC4F100_2_00AC4F10
                Source: C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exeCode function: 0_2_00BFB4D00_2_00BFB4D0
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeCode function: 1_3_0205DE341_3_0205DE34
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeCode function: 1_3_0205DE341_3_0205DE34
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeCode function: 1_3_0205DE341_3_0205DE34
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeCode function: 1_3_020976601_3_02097660
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeCode function: 1_3_020976601_3_02097660
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeCode function: 1_3_0208D6E01_3_0208D6E0
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeCode function: 1_3_020667BC1_3_020667BC
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeCode function: 1_3_020667BC1_3_020667BC
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeCode function: 1_3_020667BC1_3_020667BC
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeCode function: 1_3_020667BC1_3_020667BC
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeCode function: 1_3_020985501_3_02098550
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeCode function: 1_3_020985501_3_02098550
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeCode function: 1_3_02070DF81_3_02070DF8
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeCode function: 1_3_0207CA001_3_0207CA00
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeCode function: 1_3_02050A601_3_02050A60
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeCode function: 1_3_02050A601_3_02050A60
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeCode function: 1_3_02050A601_3_02050A60
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeCode function: 1_3_02050A601_3_02050A60
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeCode function: 1_3_020508F01_3_020508F0
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeCode function: 1_3_020508F01_3_020508F0
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeCode function: 1_3_020976601_3_02097660
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeCode function: 1_3_020976601_3_02097660
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeCode function: 1_3_0208D6E01_3_0208D6E0
                Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeProcess token adjusted: Load DriverJump to behavior
                Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeProcess token adjusted: SecurityJump to behavior
                Source: C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exeCode function: String function: 00407DE1 appears 35 times
                Source: C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exeCode function: String function: 00428900 appears 42 times
                Source: C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exeCode function: String function: 00420AE3 appears 70 times
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeCode function: String function: 0209DA38 appears 92 times
                Source: updater.exe.1.drStatic PE information: Resource name: RT_STRING type: CLIPPER COFF executable (VAX #) not stripped - version 71
                Source: msedge_proxy.exe.1.drStatic PE information: Number of sections : 12 > 10
                Source: os_update_handler.exe.1.drStatic PE information: Number of sections : 12 > 10
                Source: setup.exe.1.drStatic PE information: Number of sections : 13 > 10
                Source: elevation_service.exe.1.drStatic PE information: Number of sections : 12 > 10
                Source: msedgewebview2.exe.1.drStatic PE information: Number of sections : 14 > 10
                Source: pwahelper.exe.1.drStatic PE information: Number of sections : 12 > 10
                Source: msedge_pwa_launcher.exe.1.drStatic PE information: Number of sections : 13 > 10
                Source: firefox.exe.1.drStatic PE information: Number of sections : 11 > 10
                Source: identity_helper.exe.1.drStatic PE information: Number of sections : 12 > 10
                Source: ie_to_edge_stub.exe.1.drStatic PE information: Number of sections : 11 > 10
                Source: notification_click_helper.exe.1.drStatic PE information: Number of sections : 13 > 10
                Source: Request for Quotation 2170032137 PDF.exe, 00000000.00000003.1150824434.0000000004323000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Request for Quotation 2170032137 PDF.exe
                Source: Request for Quotation 2170032137 PDF.exe, 00000000.00000003.1153123563.0000000004E9D000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Request for Quotation 2170032137 PDF.exe
                Source: Request for Quotation 2170032137 PDF.exe, 00000000.00000003.1142135068.0000000003EB0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamearmsvc.exeN vs Request for Quotation 2170032137 PDF.exe
                Source: Request for Quotation 2170032137 PDF.exe, 00000000.00000003.1147662825.0000000003F20000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameALG.exej% vs Request for Quotation 2170032137 PDF.exe
                Source: Request for Quotation 2170032137 PDF.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                Source: Request for Quotation 2170032137 PDF.exeStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                Source: armsvc.exe.0.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                Source: alg.exe.0.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                Source: AppVClient.exe.0.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                Source: os_update_handler.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                Source: chrome_proxy.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                Source: jusched.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                Source: java.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                Source: javaw.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                Source: javaws.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                Source: jabswitch.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                Source: java-rmi.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                Source: java.exe0.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                Source: crashreporter.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                Source: javacpl.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                Source: default-browser-agent.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                Source: javaw.exe0.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                Source: firefox.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                Source: javaws.exe0.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                Source: maintenanceservice.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                Source: minidump-analyzer.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                Source: pingsender.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                Source: plugin-container.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                Source: private_browsing.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                Source: updater.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                Source: updater.exe0.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                Source: elevation_service.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                Source: maintenanceservice.exe0.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                Source: msdtc.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                Source: msiexec.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                Source: PerceptionSimulationService.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                Source: perfhost.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                Source: jjs.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                Source: jp2launcher.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                Source: keytool.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                Source: kinit.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                Source: klist.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                Source: ktab.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                Source: orbd.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                Source: pack200.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                Source: DiagnosticsHub.StandardCollector.Service.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                Source: policytool.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                Source: FXSSVC.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                Source: rmid.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                Source: elevation_service.exe0.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                Source: Locator.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                Source: MsSense.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                Source: SensorDataService.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                Source: snmptrap.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                Source: Spectrum.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                Source: ssh-agent.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                Source: TieringEngineService.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                Source: AgentService.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                Source: vds.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                Source: rmiregistry.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                Source: servertool.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                Source: ssvagent.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                Source: tnameserv.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                Source: unpack200.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                Source: ie_to_edge_stub.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                Source: cookie_exporter.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                Source: identity_helper.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                Source: setup.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                Source: msedgewebview2.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                Source: VSSVC.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                Source: wbengine.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                Source: WmiApSrv.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                Source: wmpnetwk.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                Source: SearchIndexer.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                Source: msedge_proxy.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                Source: msedge_pwa_launcher.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                Source: notification_click_helper.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                Source: pwahelper.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                Source: Request for Quotation 2170032137 PDF.exeStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                Source: armsvc.exe.0.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                Source: alg.exe.0.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                Source: AppVClient.exe.0.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                Source: os_update_handler.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                Source: chrome_proxy.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                Source: jusched.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                Source: java.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                Source: javaw.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                Source: javaws.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                Source: jabswitch.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                Source: java-rmi.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                Source: java.exe0.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                Source: crashreporter.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                Source: javacpl.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                Source: default-browser-agent.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                Source: javaw.exe0.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                Source: firefox.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                Source: javaws.exe0.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                Source: maintenanceservice.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                Source: minidump-analyzer.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                Source: pingsender.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                Source: plugin-container.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                Source: private_browsing.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                Source: updater.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                Source: updater.exe0.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                Source: elevation_service.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                Source: maintenanceservice.exe0.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                Source: msdtc.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                Source: msiexec.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                Source: PerceptionSimulationService.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                Source: perfhost.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                Source: jjs.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                Source: jp2launcher.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                Source: keytool.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                Source: kinit.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                Source: klist.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                Source: ktab.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                Source: orbd.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                Source: pack200.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                Source: DiagnosticsHub.StandardCollector.Service.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                Source: policytool.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                Source: FXSSVC.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                Source: rmid.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                Source: elevation_service.exe0.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                Source: Locator.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                Source: MsSense.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                Source: SensorDataService.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                Source: snmptrap.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                Source: Spectrum.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                Source: ssh-agent.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                Source: TieringEngineService.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                Source: AgentService.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                Source: vds.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                Source: rmiregistry.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                Source: servertool.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                Source: ssvagent.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                Source: tnameserv.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                Source: unpack200.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                Source: ie_to_edge_stub.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                Source: cookie_exporter.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                Source: identity_helper.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                Source: setup.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                Source: msedgewebview2.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                Source: VSSVC.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                Source: wbengine.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                Source: WmiApSrv.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                Source: wmpnetwk.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                Source: SearchIndexer.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                Source: msedge_proxy.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                Source: msedge_pwa_launcher.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                Source: notification_click_helper.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                Source: pwahelper.exe.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                Source: Acrobat.exe.1.drBinary string: \\\\?\UNC\\Device\Mup\\Device\LanmanRedirector\\Device\WebDavRedirector\\Device\WinDfs\\Device\NetWareRedirector\\Device\nwrdr\4202392NtQueryObjectRtlNtStatusToDosErrorRtlCompareUnicodeString\Device\WinDFSCdmRedirectorVolume\Device\HarddiskVolumeDirectory<>:"\|?*Software\Policies\Adobe\Adobe Acrobat\DC\FeatureLockDownbEnableSameObjectCheckbSupportRDSUPDSYSTEM\CurrentControlSet\Control\Terminal Server\ClusterSettingsUvhdEnabledbFilePathPreprocessingUseFileHandleEnabledbFilePathPreprocessingShortcutEnabled"GetFinalPathNameByHandleWGetVolumeInformationByHandleWGetVolumeInformationWacrolock%s%u.%u.%u.tmp%s%s%ssnacnp64.dllsnacnp.dllADC4307573conprnauxnulcomlptshell:::\/:NtQueryInformationFilewin\src\win_utils.ccSameKernelObject check failed: {100184D2-BDC3-477a-B8D3-65548B67914C}_%uLocal\Global\NtQueryVolumeInformationFileSYSTEM\CurrentControlSet\Control\Terminal ServerGlassSessionIduserenv.dllDeriveAppContainerSidFromAppContainerNameGetAppContainerFolderPathNtOpenDirectoryObjectGetAppContainerNamedObjectPath\Sessions\%d\%sNtQueryInformationProcess[ZoneTransfer]
                Source: Acrobat.exe.1.drBinary string: \??\UNC\\\.\\Device\SftVol\ntdll.dllA:\Device\\\?\/?/UNC/\?\UNC\
                Source: VSSVC.exe.1.drBinary string: Zx86AMD64sdiVersion == STORAGE_DEPENDENCY_INFO_VERSION_1 || sdiVersion == STORAGE_DEPENDENCY_INFO_VERSION_2ppDependencyInfoAsrVhd::GetDeviceDependencyInformationwszDevicepathpVhdInfoAsrVhd::TraceVirtualDiskInfohDevice != INVALID_HANDLE_VALUEdwErrorAsrVhd::DiskBuildVhdInfowszFileNameGetDeviceDependencyInformation( wszVolume, TRUE, STORAGE_DEPENDENCY_INFO_VERSION_2, &pVhdInfo )pVirtualDiskInfo->m_rgVhdFileInfo::StringCchCopy( STRING_CCH_PARAM( wszVolume ), wszDevicePath )ulLen > 0wszVhdFileNameModified\Device\\\?\GlobalRoot
                Source: Acrobat.exe.1.drBinary string: win\src\filesystem_policy.ccFailed to process path (recursion detected):Failed to process path: error code:Unexpected error in path processing of:Unexpected error in source path processing of:::$DATA:$I30:$INDEX_ALLOCATION::$INDEX_ALLOCATION\\.\pipe\\\.\mailslot\Invalid path: \/?/?\UNC\Unexpected handle for path: Unexpected handleInvalid Object foundrequested path: actual path: Handle must be NULLCreateKeywin\src\registry_policy.ccUnexpected for: Real path: OpenKey\\?\pipe\NGLWFPipe__INS:(ML;;NW;;;LW)D:P(A;;GA;;;OW)(A;;GA;;;AC)\\?\pipe\\Device\NamedPipe\win\src\named_pipe_policy.ccSameObject check failed: InitializeProcThreadAttributeListUpdateProcThreadAttributewin\src\process_thread_policy.ccCreateProcessWAction: STATUS_ACCESS_DENIEDapp name: command line: NtCreateProcessExntdll.dllNtSuspendProcessNtResumeProcessNtQuerySymbolicLinkObjectNtOpenSymbolicLinkObjectNtClose%d\Sessions\BNOLINKSNtCreateEventNtOpenEventwin\src\signed_policy.ccHandle AccessCheck failed: ntdll.dllkernel32.dllNtAllocateVirtualMemoryNtDuplicateObjectNtFreeVirtualMemoryNtProtectVirtualMemoryNtQuerySectionNtQueryVirtualMemoryNtSignalAndWaitForSingleObjectNtWaitForSingleObjectRtlAllocateHeapRtlAnsiStringToUnicodeStringRtlCreateHeapRtlCreateUserThreadRtlDestroyHeapRtlFreeHeap_strnicmpstrlenwcslenmemcpy_wcsnicmpswprintf_sNtQueryInformationThreadNtCreateFileNtSetInformationFileNtQueryAttributesFileNtQueryFullAttributesFileNtOpenKeyNtCreateKeyNtDeleteValueKeyNtCreateMutantNtOpenMutantNtCreateSectionNtOpenSectionNtAddAtomNtFindAtomNtDeleteAtomNtQueryInformationAtomNtOpenThreadNtOpenProcessNtOpenProcessTokenNtOpenProcessTokenExNtAddAtomExg_ntNtSetInformationThreadNtOpenThreadTokenNtOpenThreadTokenExCreateThread
                Source: VSSVC.exe.1.drBinary string: ::StringCchPrintf( wszDevicePath, ARRAYSIZE(wszDevicePath), L"%s\\Device\\Harddisk%d\\Partition%d\\", L"\\\\?\\GLOBALROOT", dwDeviceNumber, pCurPtnEx->PartitionNumber )
                Source: Acrobat.exe.1.drBinary string: REINSTALLMODE=omus DISABLE_FIU_CHECK=1 IGNOREAAM=1 REPAIRFROMAPP=1 INSTALLUWPAPP=1 IS_COEX_REPAIR=1 /qn/qb REINSTALLMODE=omus DISABLE_FIU_CHECK=1 IGNOREAAM=1 REPAIRFROMAPP=1 BROADCASTCEFRELOAD=1 \/0\*cef_*/qn CLEANUP_CEFFOLDER=1 DISABLE_FIU_CHECK=1 /i msiexec.exe/i ADD_ALL_DICT=1 REINSTALL=AdobeCommonLinguistics SKIP_WEBRCS_REINSTALL=1 SKIP_CEF_KILL=1 /qn.msiexec.exe/i ADDLOCAL=OptionalFeatures,DistillerCJKNative,DistillerCJKSupport,PaperCaptureOptional,PreFlightPlugin DISABLE_FIU_CHECK=1 TRANSITION_INSTALL_MODE=4 SKIP_WEBRCS_REINSTALL=1 SKIP_CEF_KILL=1 /qn\msiexec.exeSoftware\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList\MRUListAcrobat.exeMRUListAppDoNotTakePDFOwnershipAtLaunch\\\AppDoNotTakePDFOwnershipAtLaunchWin10DisableOwnershipPrompt.pdf.pdfxml.acrobatsecuritysettings.fdf.xfdf.xdp.pdx.api.secstore.sequ.rmf.bpdxAdobe Acrobat XI ProRtlGetVersionntdll.dll\??\UNC\\\?\UNC\\Device\Mup\\Device\LanmanRedirector\\Device\WebDavRedirector\\Device\WinDfs\\Device\NetWareRedirector\\Device\nwrdr\RtlGetVersionntdll.dllAdobe Systems, IncorporatedAdobe Inc.Adobe Systems Incorporated1.3.6.1.4.1.311.2.1.121.3.6.1.4.1.311.2.1.121.3.6.1.4.1.311.2.1.121.2.840.113549.1.9.61.3.6.1.4.1.311.3.3.1kernel32IsWow64ProcessSystem\CurrentControlSet\Control\CitrixProductVersionNumSoftware\Adobe\Acrobat\ExeSoftware\Microsoft\Windows\CurrentVersion\Policies\SystemEnableLUA/RegisterFileTypesOwnership /PRODUCT:Acrobat /VERSION:12.0 /FixPDF 3305580Click on 'Change' to select default PDF handler.pdf Properties#32770Click on 'Change' to select default PDF handler Properties#32770/\Click on 'Change' to select default PDF handler#32770ADelRCP.exepropertiesClick on 'Change' to select default PDF handler.pdfShowAppPickerForPDF.exeProgram ManagerPROGMANApplicationClick on 'Change' to select default PDF handler.pdf Properties#32770Click on 'Change' to select default PDF handler Properties#3277012Click on 'Change' to select default PDF handler#32770Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\UserChoice.0Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\UserChoice\InstallerSoftware\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdfSOFTWARE\Adobe\Acrobat Reader\12{A6EADE66-0000-0000-484E-7E8A45000000}{AC76BA86-0000-0000-7761-7E8A45000000}SOFTWARE\Adobe\Adobe Acrobat\{AC76BA86-0000-0000-7760-7E8A45000000}SOFTWARE\Adobe\Adobe Acrobat\{AC76BA86-0000-0000-BA7E-7E8A45000000}SOFTWARE\Adobe\Adobe Acrobat\VersionMajorVersionMinorVersionStringInstalledProductNameAdobe AcrobatreaderSOFTWARE\Wow6432Node\Adobe\Acrobat Reader\.0SOFTWARE\Wow6432Node\Adobe\Adobe Acrobat\SOFTWARE\Adobe\Acrobat Reader\SOFTWARE\Adobe\Adobe Acrobat\PATHVersionMajorVersionMinor7760-BA7E-7AD7-VersionStringInstalledProductNameAdobe AcrobatreaderDCSOFTWARE\Wow6432Node\Adobe\Acrobat Reader\\InstallerSOFTWARE\Wow6432Node\Adobe\Adobe Acrobat\SOFTWARE\Adobe\Acrobat Reader\SOFTWARE\Adobe\Adobe Acrobat\ENU_GUIDPATHInstallLocationAcrobat.Document.DC.pdf{AC76BA86-0000-00
                Source: VSSVC.exe.1.drBinary string: )SYSTEM\CurrentControlSet\Control\MiniNTGetRdisk0DeviceNumberDoStorageIoctlCall(hDisk, IOCTL_STORAGE_GET_DEVICE_NUMBER, NULL, 0, (void **)&pStorageDeviceNumber)AsrGetSystemVolumeGlobalRootPathpdwDeviceNumber\\?\GLOBALROOT\arcname\multi(0)disk(0)rdisk(0)AsrGetSystemVolumeDevPath(wszDevicePath, ARRAYSIZE(wszDevicePath) )StringCchPrintf( pwszVolume, cchVolume, L"\\\\?\\GLOBALROOT%s", wszDevicePath )pwszVolumepSysInfoNtQuerySystemInformation( SystemSystemPartitionInformation, pSysInfo, cbRequiredSize, &cbRequiredSize)AsrGetSystemVolumeDevPathpDriveLayoutExppPartitionTable::StringCchCopyN( pwszVolume, cchVolume, pSysInfo->SystemPartition.Buffer, (pSysInfo->SystemPartition.Length)/sizeof(WCHAR) )AsrpGetMorePartitionInfohSystemVolumeDoVolumeIoctlCall(hSystemVolume, IOCTL_VOLUME_GET_VOLUME_DISK_EXTENTS, NULL, 0, (void **)&pSystemVolExtents, NULL)GetRdisk0DeviceNumber(&dwRDisk0DevNumber)AsrGetSystemVolumeGlobalRootPath( wszSysVolPath, ARRAYSIZE(wszSysVolPath) )DoVolumeIoctlCall(hBootVolume, IOCTL_VOLUME_GET_VOLUME_DISK_EXTENTS, NULL, 0, (void **)&pBootVolExtents, NULL)pPartitionTableGetBootVolumeGuidName(&pwszBootVolGuidName)hBootVolume%s\Device\Harddisk%d\Partition%d\::StringCchPrintf( wszDevicePath, ARRAYSIZE(wszDevicePath), L"%s\\Device\\Harddisk%d\\Partition%d\\", L"\\\\?\\GLOBALROOT", dwDeviceNumber, pCurPtnEx->PartitionNumber )DiskBuildDevicePartitionPath( dwDeviceNumber, pCurPtnEx->PartitionNumber, FALSE, ARRAY_COUNT_PARAM(wszDevicePath) )\\?\GLOBALROOTAsrpGetMorePartitionInfo( pStorageDeviceNumber->DeviceNumber, pDriveLayoutEx, &pPartitionTable )AsrpInitSystemInformationGetFileSytemType( wszFsName, &pPartitionTable[dwIndex].FileSystemType )AsrpGetDiskLayoutPROCESSOR_ARCHITECTUREERROR_BAD_ENVIRONMENTpSystemInfopSystemInfo->PlatformpSystemInfo->BootSysDirectorypSystemInfo->SystemPathERROR_NOT_SUPPORTEDpSystemInfo->BootWinDirectory::StringCchPrintf(ARRAY_COUNT_PARAM(wszErrorCodeString), L"0x%x", dwError)::StringCchPrintf(ARRAY_COUNT_PARAM(wszDeviceNumber), L"%d", pStorageDeviceNumber->DeviceNumber)DiskListPopulateLayoutInfo0x%xERROR_IO_DEVICEpDiDetailDiskListInitializehdevInfopNewDisk->DevicePath::StringCchCopy(pNewDisk->DevicePath, cchDevicePath, pDiDetail->DevicePath)fResultpNewDisk::StringCchCopyN( ARRAY_COUNT_PARAM(wszDevicePath), pwszVolGuid, ASR_CCH_DEVICE_PATH_FORMAT)VSS_E_CRITICAL_VOLUME_ON_INVALID_DISKAsrpMarkCriticalDiskspfCriticalDiskTableppmwszCriticalVolumeListMwszStringAppend( &mwszCurrentCriticalVolList, pwszCurVolume )ERROR_DEV_NOT_EXISTAsrpMarkCriticalPartitionsMwszStringAppend( &mwszFinalCriticalVolList, pwszCurVolume )MwszStringAppend( &mwszMoreCriticalVolList, pVirtualDiskInfo->m_rgVhdFileInfo[iVhd].m_wszVolumeUniqueName )MwszStringAppend( ppmwszCriticalVolumeList, pwszCurVolume )AsrpIsSupportedConfigurationARM64IA64
                Source: Acrobat.exe.1.drBinary string: \\.\ko.%x.%x.%xSoftware\Classes\CLSID\{054AAE20-4BEA-4347-8A35-64A533254A9D}\LocalServer320123456789abcdef\Device\HarddiskVolume
                Source: Acrobat.exe.1.drBinary string: sbox_alternate_desktop_local_winstation_\??\\\?\\??\pipe\\??\mailslot\\/?/?\\Device\
                Source: VSSVC.exe.1.drBinary string: EnablePrivilegeLogEventdwLastErrorpIoctlOutputBufferpDriveLayoutDiskTraceDriveLayoutGetDriveTypeByHandlepuiDriveTypeOutSafeStrConvertGuidString(&pDriveLayoutEx->Gpt.DiskId, ARRAY_COUNT_PARAM(wszGuidString))SafeStrConvertGuidString(&pPartitionInfo->Gpt.PartitionId, ARRAY_COUNT_PARAM(wszGuidString))DiskBuildDevicePartitionPath::NtQueryVolumeInformationFile( hDisk, &IoStatusBlock, &DeviceInfo,sizeof(DeviceInfo), FileFsDeviceInformation)DiskForceDriversSyncppwszSignatureOutpwszDevicePathOut%s\Device\Harddisk%d\Partition%dpwszSignature::StringCchPrintf(pwszSignature, cchSignature, L"0x%x", pDriveLayout->Mbr.Signature)
                Source: VSSVC.exe.1.drBinary string: pPackIdpAsrSysAsrLdm::InitializeForBackupDevicePathToWin32Path(DD_VOLMGR_CONTROL_DEVICE_NAME, ARRAY_COUNT_PARAM(wszVolMgmtCtlPath))\Device\VolMgrControlpPackListDoVdsIoctlCall(hVdsDriver, IOCTL_VOLMGR_ENUM_PACKS, NULL, 0, (void **)&pOutBuffer)hrpwszXmlDocE_FAILE_OUTOFMEMORYNumPacksAsrLdmpXmlDocDynPackpTopNodeAsrLdm::BuildXmlNodesAsrSifERROR_NOT_FOUNDSystempwszXmlFilenameAsrWriteXmlToSifFileERROR_BAD_FORMAT/_o
                Source: classification engineClassification label: mal100.rans.spre.troj.spyw.evad.winEXE@24/143@108/21
                Source: C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exeCode function: 0_2_0046A06A GetLastError,FormatMessageW,0_2_0046A06A
                Source: C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exeCode function: 0_2_004581CB AdjustTokenPrivileges,CloseHandle,0_2_004581CB
                Source: C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exeCode function: 0_2_004587E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_004587E1
                Source: C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exeCode function: 0_2_0046B333 SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_0046B333
                Source: C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exeCode function: 0_2_0047EE0D CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_0047EE0D
                Source: C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exeCode function: 0_2_0046C397 CoInitialize,CoCreateInstance,CoUninitialize,0_2_0046C397
                Source: C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exeCode function: 0_2_00404E89 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_00404E89
                Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeFile created: C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.logJump to behavior
                Source: C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exeFile created: C:\Users\user\AppData\Roaming\d610b5edf7fcdce6.binJump to behavior
                Source: C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exeMutant created: \Sessions\1\BaseNamedObjects\Global\Multiarch.m0yv-d610b5edf7fcdce67d8e3ee9-b
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeMutant created: \BaseNamedObjects\Global\Multiarch.m0yv-d610b5edf7fcdce69ea72c54-b
                Source: C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exeMutant created: \Sessions\1\BaseNamedObjects\Global\Multiarch.m0yv-d610b5edf7fcdce6-inf
                Source: C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exeFile created: C:\Users\user\AppData\Local\Temp\aut7AA4.tmpJump to behavior
                Source: C:\Program Files\Mozilla Firefox\firefox.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
                Source: C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: mfpmp.exe, 0000000F.00000003.1544357692.0000000002D45000.00000004.00000020.00020000.00000000.sdmp, mfpmp.exe, 0000000F.00000002.2419863216.0000000002D45000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                Source: Request for Quotation 2170032137 PDF.exeReversingLabs: Detection: 85%
                Source: Request for Quotation 2170032137 PDF.exeVirustotal: Detection: 73%
                Source: unknownProcess created: C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exe "C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exe"
                Source: unknownProcess created: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe"
                Source: C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exe"
                Source: unknownProcess created: C:\Windows\System32\alg.exe C:\Windows\System32\alg.exe
                Source: unknownProcess created: C:\Windows\System32\FXSSVC.exe C:\Windows\system32\fxssvc.exe
                Source: unknownProcess created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe "C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe"
                Source: unknownProcess created: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe "C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
                Source: unknownProcess created: C:\Windows\System32\msdtc.exe C:\Windows\System32\msdtc.exe
                Source: unknownProcess created: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
                Source: unknownProcess created: C:\Windows\SysWOW64\perfhost.exe C:\Windows\SysWow64\perfhost.exe
                Source: unknownProcess created: C:\Windows\System32\Locator.exe C:\Windows\system32\locator.exe
                Source: C:\Program Files (x86)\nLQOfBOrCOieKElqUulLbIwvUAfUlxrHQzbHjlZBUUQ\JHafvhydouNovF.exeProcess created: C:\Windows\SysWOW64\mfpmp.exe "C:\Windows\SysWOW64\mfpmp.exe"
                Source: unknownProcess created: C:\Windows\System32\SensorDataService.exe C:\Windows\System32\SensorDataService.exe
                Source: unknownProcess created: C:\Windows\System32\snmptrap.exe C:\Windows\System32\snmptrap.exe
                Source: unknownProcess created: C:\Windows\System32\Spectrum.exe C:\Windows\system32\spectrum.exe
                Source: unknownProcess created: C:\Windows\System32\OpenSSH\ssh-agent.exe C:\Windows\System32\OpenSSH\ssh-agent.exe
                Source: unknownProcess created: C:\Windows\System32\TieringEngineService.exe C:\Windows\system32\TieringEngineService.exe
                Source: unknownProcess created: C:\Windows\System32\AgentService.exe C:\Windows\system32\AgentService.exe
                Source: unknownProcess created: C:\Windows\System32\vds.exe C:\Windows\System32\vds.exe
                Source: unknownProcess created: C:\Windows\System32\wbengine.exe "C:\Windows\system32\wbengine.exe"
                Source: C:\Windows\SysWOW64\mfpmp.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
                Source: C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exe"Jump to behavior
                Source: C:\Program Files (x86)\nLQOfBOrCOieKElqUulLbIwvUAfUlxrHQzbHjlZBUUQ\JHafvhydouNovF.exeProcess created: C:\Windows\SysWOW64\mfpmp.exe "C:\Windows\SysWOW64\mfpmp.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\mfpmp.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
                Source: C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exeSection loaded: wsock32.dllJump to behavior
                Source: C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exeSection loaded: dhcpcsvc6.dllJump to behavior
                Source: C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exeSection loaded: dhcpcsvc.dllJump to behavior
                Source: C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exeSection loaded: webio.dllJump to behavior
                Source: C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSection loaded: dhcpcsvc6.dllJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSection loaded: dhcpcsvc.dllJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSection loaded: webio.dllJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Windows\System32\alg.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\System32\alg.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Windows\System32\alg.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\System32\FXSSVC.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\System32\FXSSVC.exeSection loaded: tapi32.dllJump to behavior
                Source: C:\Windows\System32\FXSSVC.exeSection loaded: credui.dllJump to behavior
                Source: C:\Windows\System32\FXSSVC.exeSection loaded: fxstiff.dllJump to behavior
                Source: C:\Windows\System32\FXSSVC.exeSection loaded: slc.dllJump to behavior
                Source: C:\Windows\System32\FXSSVC.exeSection loaded: sppc.dllJump to behavior
                Source: C:\Windows\System32\FXSSVC.exeSection loaded: fxsresm.dllJump to behavior
                Source: C:\Windows\System32\FXSSVC.exeSection loaded: ualapi.dllJump to behavior
                Source: C:\Windows\System32\FXSSVC.exeSection loaded: slc.dllJump to behavior
                Source: C:\Windows\System32\FXSSVC.exeSection loaded: sppc.dllJump to behavior
                Source: C:\Windows\System32\FXSSVC.exeSection loaded: slc.dllJump to behavior
                Source: C:\Windows\System32\FXSSVC.exeSection loaded: sppc.dllJump to behavior
                Source: C:\Windows\System32\FXSSVC.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\System32\FXSSVC.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\System32\FXSSVC.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\System32\FXSSVC.exeSection loaded: slc.dllJump to behavior
                Source: C:\Windows\System32\FXSSVC.exeSection loaded: sppc.dllJump to behavior
                Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeSection loaded: dbghelp.dllJump to behavior
                Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeSection loaded: version.dllJump to behavior
                Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\System32\msdtc.exeSection loaded: msdtctm.dllJump to behavior
                Source: C:\Windows\System32\msdtc.exeSection loaded: msdtcprx.dllJump to behavior
                Source: C:\Windows\System32\msdtc.exeSection loaded: msdtclog.dllJump to behavior
                Source: C:\Windows\System32\msdtc.exeSection loaded: mtxclu.dllJump to behavior
                Source: C:\Windows\System32\msdtc.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Windows\System32\msdtc.exeSection loaded: clusapi.dllJump to behavior
                Source: C:\Windows\System32\msdtc.exeSection loaded: xolehlp.dllJump to behavior
                Source: C:\Windows\System32\msdtc.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Windows\System32\msdtc.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Windows\System32\msdtc.exeSection loaded: ktmw32.dllJump to behavior
                Source: C:\Windows\System32\msdtc.exeSection loaded: resutils.dllJump to behavior
                Source: C:\Windows\System32\msdtc.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Windows\System32\msdtc.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\System32\msdtc.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Windows\System32\msdtc.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\System32\msdtc.exeSection loaded: comres.dllJump to behavior
                Source: C:\Windows\System32\msdtc.exeSection loaded: msdtcvsp1res.dllJump to behavior
                Source: C:\Windows\System32\msdtc.exeSection loaded: mtxoci.dllJump to behavior
                Source: C:\Windows\System32\msdtc.exeSection loaded: oci.dllJump to behavior
                Source: C:\Windows\System32\msdtc.exeSection loaded: wkscli.dllJump to behavior
                Source: C:\Windows\System32\msdtc.exeSection loaded: cscapi.dllJump to behavior
                Source: C:\Windows\System32\msdtc.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\System32\msdtc.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\System32\msdtc.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\Windows\System32\msdtc.exeSection loaded: firewallapi.dllJump to behavior
                Source: C:\Windows\System32\msdtc.exeSection loaded: fwbase.dllJump to behavior
                Source: C:\Windows\System32\msdtc.exeSection loaded: fwpolicyiomgr.dllJump to behavior
                Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exeSection loaded: hid.dllJump to behavior
                Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exeSection loaded: dxgi.dllJump to behavior
                Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exeSection loaded: devobj.dllJump to behavior
                Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\Windows\SysWOW64\perfhost.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Windows\SysWOW64\perfhost.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Windows\SysWOW64\perfhost.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\SysWOW64\perfhost.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\perfhost.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\perfhost.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\perfhost.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\Windows\SysWOW64\mfpmp.exeSection loaded: kernel.appcore.dll
                Source: C:\Windows\SysWOW64\mfpmp.exeSection loaded: mfcore.dll
                Source: C:\Windows\SysWOW64\mfpmp.exeSection loaded: mfplat.dll
                Source: C:\Windows\SysWOW64\mfpmp.exeSection loaded: powrprof.dll
                Source: C:\Windows\SysWOW64\mfpmp.exeSection loaded: ksuser.dll
                Source: C:\Windows\SysWOW64\mfpmp.exeSection loaded: mfperfhelper.dll
                Source: C:\Windows\SysWOW64\mfpmp.exeSection loaded: cryptbase.dll
                Source: C:\Windows\SysWOW64\mfpmp.exeSection loaded: umpdc.dll
                Source: C:\Windows\SysWOW64\mfpmp.exeSection loaded: rtworkq.dll
                Source: C:\Windows\SysWOW64\mfpmp.exeSection loaded: wininet.dll
                Source: C:\Windows\SysWOW64\mfpmp.exeSection loaded: uxtheme.dll
                Source: C:\Windows\SysWOW64\mfpmp.exeSection loaded: ieframe.dll
                Source: C:\Windows\SysWOW64\mfpmp.exeSection loaded: iertutil.dll
                Source: C:\Windows\SysWOW64\mfpmp.exeSection loaded: netapi32.dll
                Source: C:\Windows\SysWOW64\mfpmp.exeSection loaded: version.dll
                Source: C:\Windows\SysWOW64\mfpmp.exeSection loaded: userenv.dll
                Source: C:\Windows\SysWOW64\mfpmp.exeSection loaded: winhttp.dll
                Source: C:\Windows\SysWOW64\mfpmp.exeSection loaded: wkscli.dll
                Source: C:\Windows\SysWOW64\mfpmp.exeSection loaded: netutils.dll
                Source: C:\Windows\SysWOW64\mfpmp.exeSection loaded: sspicli.dll
                Source: C:\Windows\SysWOW64\mfpmp.exeSection loaded: windows.storage.dll
                Source: C:\Windows\SysWOW64\mfpmp.exeSection loaded: wldp.dll
                Source: C:\Windows\SysWOW64\mfpmp.exeSection loaded: profapi.dll
                Source: C:\Windows\SysWOW64\mfpmp.exeSection loaded: secur32.dll
                Source: C:\Windows\SysWOW64\mfpmp.exeSection loaded: mlang.dll
                Source: C:\Windows\SysWOW64\mfpmp.exeSection loaded: propsys.dll
                Source: C:\Windows\SysWOW64\mfpmp.exeSection loaded: winsqlite3.dll
                Source: C:\Windows\SysWOW64\mfpmp.exeSection loaded: vaultcli.dll
                Source: C:\Windows\SysWOW64\mfpmp.exeSection loaded: wintypes.dll
                Source: C:\Windows\SysWOW64\mfpmp.exeSection loaded: dpapi.dll
                Source: C:\Windows\System32\SensorDataService.exeSection loaded: kernel.appcore.dll
                Source: C:\Windows\System32\SensorDataService.exeSection loaded: mfplat.dll
                Source: C:\Windows\System32\SensorDataService.exeSection loaded: rtworkq.dll
                Source: C:\Windows\System32\SensorDataService.exeSection loaded: windows.devices.perception.dll
                Source: C:\Windows\System32\SensorDataService.exeSection loaded: mediafoundation.defaultperceptionprovider.dll
                Source: C:\Windows\System32\SensorDataService.exeSection loaded: windows.devices.enumeration.dll
                Source: C:\Windows\System32\SensorDataService.exeSection loaded: propsys.dll
                Source: C:\Windows\System32\SensorDataService.exeSection loaded: structuredquery.dll
                Source: C:\Windows\System32\SensorDataService.exeSection loaded: profapi.dll
                Source: C:\Windows\System32\SensorDataService.exeSection loaded: windows.globalization.dll
                Source: C:\Windows\System32\SensorDataService.exeSection loaded: bcp47langs.dll
                Source: C:\Windows\System32\SensorDataService.exeSection loaded: bcp47mrm.dll
                Source: C:\Windows\System32\SensorDataService.exeSection loaded: icu.dll
                Source: C:\Windows\System32\SensorDataService.exeSection loaded: mswb7.dll
                Source: C:\Windows\System32\SensorDataService.exeSection loaded: devdispitemprovider.dll
                Source: C:\Windows\System32\snmptrap.exeSection loaded: mswsock.dll
                Source: C:\Windows\System32\snmptrap.exeSection loaded: napinsp.dll
                Source: C:\Windows\System32\snmptrap.exeSection loaded: pnrpnsp.dll
                Source: C:\Windows\System32\snmptrap.exeSection loaded: wshbth.dll
                Source: C:\Windows\System32\snmptrap.exeSection loaded: nlaapi.dll
                Source: C:\Windows\System32\snmptrap.exeSection loaded: iphlpapi.dll
                Source: C:\Windows\System32\snmptrap.exeSection loaded: dnsapi.dll
                Source: C:\Windows\System32\snmptrap.exeSection loaded: winrnr.dll
                Source: C:\Windows\System32\Spectrum.exeSection loaded: powrprof.dll
                Source: C:\Windows\System32\Spectrum.exeSection loaded: rmclient.dll
                Source: C:\Windows\System32\Spectrum.exeSection loaded: rmclient.dll
                Source: C:\Windows\System32\Spectrum.exeSection loaded: kernel.appcore.dll
                Source: C:\Windows\System32\Spectrum.exeSection loaded: kernel.appcore.dll
                Source: C:\Windows\System32\Spectrum.exeSection loaded: spectrumsyncclient.dll
                Source: C:\Windows\System32\Spectrum.exeSection loaded: kernel.appcore.dll
                Source: C:\Windows\System32\Spectrum.exeSection loaded: kernel.appcore.dll
                Source: C:\Windows\System32\Spectrum.exeSection loaded: umpdc.dll
                Source: C:\Windows\System32\Spectrum.exeSection loaded: winhttp.dll
                Source: C:\Windows\System32\Spectrum.exeSection loaded: mpr.dll
                Source: C:\Windows\System32\Spectrum.exeSection loaded: secur32.dll
                Source: C:\Windows\System32\Spectrum.exeSection loaded: sspicli.dll
                Source: C:\Windows\System32\Spectrum.exeSection loaded: dnsapi.dll
                Source: C:\Windows\System32\Spectrum.exeSection loaded: iphlpapi.dll
                Source: C:\Windows\System32\Spectrum.exeSection loaded: ntmarta.dll
                Source: C:\Windows\System32\Spectrum.exeSection loaded: perceptionsimulationextensions.dll
                Source: C:\Windows\System32\Spectrum.exeSection loaded: hid.dll
                Source: C:\Windows\System32\Spectrum.exeSection loaded: holographicruntimes.dll
                Source: C:\Windows\System32\Spectrum.exeSection loaded: perceptiondevice.dll
                Source: C:\Windows\System32\Spectrum.exeSection loaded: spatialstore.dll
                Source: C:\Windows\System32\Spectrum.exeSection loaded: esent.dll
                Source: C:\Windows\System32\Spectrum.exeSection loaded: analogcommonproxystub.dll
                Source: C:\Windows\System32\Spectrum.exeSection loaded: capabilityaccessmanagerclient.dll
                Source: C:\Windows\System32\Spectrum.exeSection loaded: wintypes.dll
                Source: C:\Windows\System32\Spectrum.exeSection loaded: windows.devices.enumeration.dll
                Source: C:\Windows\System32\Spectrum.exeSection loaded: propsys.dll
                Source: C:\Windows\System32\Spectrum.exeSection loaded: structuredquery.dll
                Source: C:\Windows\System32\Spectrum.exeSection loaded: profapi.dll
                Source: C:\Windows\System32\Spectrum.exeSection loaded: windows.globalization.dll
                Source: C:\Windows\System32\Spectrum.exeSection loaded: bcp47langs.dll
                Source: C:\Windows\System32\Spectrum.exeSection loaded: bcp47mrm.dll
                Source: C:\Windows\System32\Spectrum.exeSection loaded: icu.dll
                Source: C:\Windows\System32\Spectrum.exeSection loaded: mswb7.dll
                Source: C:\Windows\System32\Spectrum.exeSection loaded: devdispitemprovider.dll
                Source: C:\Windows\System32\OpenSSH\ssh-agent.exeSection loaded: apphelp.dll
                Source: C:\Windows\System32\OpenSSH\ssh-agent.exeSection loaded: libcrypto.dll
                Source: C:\Windows\System32\OpenSSH\ssh-agent.exeSection loaded: cryptsp.dll
                Source: C:\Windows\System32\OpenSSH\ssh-agent.exeSection loaded: winhttp.dll
                Source: C:\Windows\System32\OpenSSH\ssh-agent.exeSection loaded: mpr.dll
                Source: C:\Windows\System32\OpenSSH\ssh-agent.exeSection loaded: secur32.dll
                Source: C:\Windows\System32\OpenSSH\ssh-agent.exeSection loaded: sspicli.dll
                Source: C:\Windows\System32\OpenSSH\ssh-agent.exeSection loaded: dnsapi.dll
                Source: C:\Windows\System32\OpenSSH\ssh-agent.exeSection loaded: iphlpapi.dll
                Source: C:\Windows\System32\OpenSSH\ssh-agent.exeSection loaded: ntmarta.dll
                Source: C:\Windows\System32\TieringEngineService.exeSection loaded: esent.dll
                Source: C:\Windows\System32\TieringEngineService.exeSection loaded: clusapi.dll
                Source: C:\Windows\System32\TieringEngineService.exeSection loaded: dnsapi.dll
                Source: C:\Windows\System32\TieringEngineService.exeSection loaded: iphlpapi.dll
                Source: C:\Windows\System32\TieringEngineService.exeSection loaded: kernel.appcore.dll
                Source: C:\Windows\System32\AgentService.exeSection loaded: fltlib.dll
                Source: C:\Windows\System32\AgentService.exeSection loaded: version.dll
                Source: C:\Windows\System32\AgentService.exeSection loaded: activeds.dll
                Source: C:\Windows\System32\AgentService.exeSection loaded: adsldpc.dll
                Source: C:\Windows\System32\AgentService.exeSection loaded: msasn1.dll
                Source: C:\Windows\System32\AgentService.exeSection loaded: kernel.appcore.dll
                Source: C:\Windows\System32\AgentService.exeSection loaded: appmanagementconfiguration.dll
                Source: C:\Windows\System32\vds.exeSection loaded: atl.dll
                Source: C:\Windows\System32\vds.exeSection loaded: osuninst.dll
                Source: C:\Windows\System32\vds.exeSection loaded: vdsutil.dll
                Source: C:\Windows\System32\vds.exeSection loaded: bcd.dll
                Source: C:\Windows\System32\vds.exeSection loaded: uexfat.dll
                Source: C:\Windows\System32\vds.exeSection loaded: ulib.dll
                Source: C:\Windows\System32\vds.exeSection loaded: ifsutil.dll
                Source: C:\Windows\System32\vds.exeSection loaded: devobj.dll
                Source: C:\Windows\System32\vds.exeSection loaded: uudf.dll
                Source: C:\Windows\System32\vds.exeSection loaded: untfs.dll
                Source: C:\Windows\System32\vds.exeSection loaded: ufat.dll
                Source: C:\Windows\System32\vds.exeSection loaded: fmifs.dll
                Source: C:\Windows\System32\vds.exeSection loaded: kernel.appcore.dll
                Source: C:\Windows\System32\wbengine.exeSection loaded: vssapi.dll
                Source: C:\Windows\System32\wbengine.exeSection loaded: virtdisk.dll
                Source: C:\Windows\System32\wbengine.exeSection loaded: bcd.dll
                Source: C:\Windows\System32\wbengine.exeSection loaded: spp.dll
                Source: C:\Windows\System32\wbengine.exeSection loaded: netapi32.dll
                Source: C:\Windows\System32\wbengine.exeSection loaded: xmllite.dll
                Source: C:\Windows\System32\wbengine.exeSection loaded: clusapi.dll
                Source: C:\Windows\System32\wbengine.exeSection loaded: wer.dll
                Source: C:\Windows\System32\wbengine.exeSection loaded: vsstrace.dll
                Source: C:\Windows\System32\wbengine.exeSection loaded: fltlib.dll
                Source: C:\Windows\System32\wbengine.exeSection loaded: dnsapi.dll
                Source: C:\Windows\System32\wbengine.exeSection loaded: srvcli.dll
                Source: C:\Windows\System32\wbengine.exeSection loaded: netutils.dll
                Source: C:\Windows\System32\wbengine.exeSection loaded: iphlpapi.dll
                Source: C:\Windows\System32\wbengine.exeSection loaded: kernel.appcore.dll
                Source: C:\Windows\System32\wbengine.exeSection loaded: fveapi.dll
                Source: C:\Windows\System32\wbengine.exeSection loaded: cscapi.dll
                Source: C:\Program Files (x86)\nLQOfBOrCOieKElqUulLbIwvUAfUlxrHQzbHjlZBUUQ\JHafvhydouNovF.exeSection loaded: wininet.dll
                Source: C:\Program Files (x86)\nLQOfBOrCOieKElqUulLbIwvUAfUlxrHQzbHjlZBUUQ\JHafvhydouNovF.exeSection loaded: mswsock.dll
                Source: C:\Program Files (x86)\nLQOfBOrCOieKElqUulLbIwvUAfUlxrHQzbHjlZBUUQ\JHafvhydouNovF.exeSection loaded: dnsapi.dll
                Source: C:\Program Files (x86)\nLQOfBOrCOieKElqUulLbIwvUAfUlxrHQzbHjlZBUUQ\JHafvhydouNovF.exeSection loaded: iphlpapi.dll
                Source: C:\Program Files (x86)\nLQOfBOrCOieKElqUulLbIwvUAfUlxrHQzbHjlZBUUQ\JHafvhydouNovF.exeSection loaded: fwpuclnt.dll
                Source: C:\Program Files (x86)\nLQOfBOrCOieKElqUulLbIwvUAfUlxrHQzbHjlZBUUQ\JHafvhydouNovF.exeSection loaded: rasadhlp.dll
                Source: C:\Windows\System32\msdtc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{304CE942-6E39-40D8-943A-B913C40C9CD4}\InprocServer32Jump to behavior
                Source: C:\Windows\SysWOW64\mfpmp.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\
                Source: Request for Quotation 2170032137 PDF.exeStatic file information: File size 1773056 > 1048576
                Source: Request for Quotation 2170032137 PDF.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: Binary string: C:\work\p4\splinters\Splinters\S\BuildResults\bin\Win32\ReaderRelease\FullTrustNotifier\FullTrustNotifier.pdb77.GCTL source: armsvc.exe, 00000001.00000003.1725592296.0000000001FC0000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: D:\DCB\CBT_Main\BuildResults\bin\Win32\Release\armsvc.pdb source: Request for Quotation 2170032137 PDF.exe, 00000000.00000003.1142035027.0000000003EB0000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe.0.dr
                Source: Binary string: msiexec.pdb source: armsvc.exe, 00000001.00000003.1223159068.0000000001AB0000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: E:\PkgInstaller\base\ntsetup\SrvPack.Main\tools\sfxcab\sfxcab\objfre\i386\sfxcab.pdb source: armsvc.exe, 00000001.00000003.1795693863.0000000000830000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1797481959.00000000007C0000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1807529055.0000000000700000.00000004.00001000.00020000.00000000.sdmp, WindowsInstaller-KB893803-v2-x86.exe.1.dr
                Source: Binary string: D:\T\BuildResults\bin\Release_x64\AcrobatInfo.pdb source: armsvc.exe, 00000001.00000003.1420784875.0000000001FB0000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: ssh-agent.pdb source: armsvc.exe, 00000001.00000003.1289641035.0000000002040000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: D:\T\BuildResults\bin\Release_x64\TextExtractor.pdb444 source: armsvc.exe, 00000001.00000003.1539307812.0000000001F30000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: D:\T\BuildResults\bin\Release_x64\TextExtractor.pdb source: armsvc.exe, 00000001.00000003.1539307812.0000000001F30000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: vssvc.pdb source: VSSVC.exe.1.dr
                Source: Binary string: msiexec.pdbGCTL source: armsvc.exe, 00000001.00000003.1223159068.0000000001AB0000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: ADelRCP_Exec.pdb source: armsvc.exe, 00000001.00000003.1564810456.0000000001AC0000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\jjs_objs\jjs.pdb source: jjs.exe.1.dr
                Source: Binary string: mavinject32.pdbGCTL source: armsvc.exe, 00000001.00000003.1843574884.0000000000870000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1840114212.0000000000860000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: PresentationFontCache.pdb source: armsvc.exe, 00000001.00000003.1173376977.0000000002090000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: PerceptionSimulationService.pdb source: armsvc.exe, 00000001.00000003.1229499868.0000000002050000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: MFPMP.pdbUGP source: svchost.exe, 00000002.00000003.1286446437.0000000002E1B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1287237079.0000000002E1A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1287309124.0000000002E24000.00000004.00000020.00020000.00000000.sdmp, JHafvhydouNovF.exe, 0000000D.00000003.1692984351.0000000001054000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: Request for Quotation 2170032137 PDF.exe, 00000000.00000003.1149607815.0000000004080000.00000004.00001000.00020000.00000000.sdmp, Request for Quotation 2170032137 PDF.exe, 00000000.00000003.1153123563.0000000004D70000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1224739065.0000000003300000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1319947125.0000000003500000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1319947125.000000000369E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1220845297.0000000003100000.00000004.00000020.00020000.00000000.sdmp, mfpmp.exe, 0000000F.00000003.1319850265.0000000002EA7000.00000004.00000020.00020000.00000000.sdmp, mfpmp.exe, 0000000F.00000003.1323704812.0000000003055000.00000004.00000020.00020000.00000000.sdmp, mfpmp.exe, 0000000F.00000002.2459249033.0000000003200000.00000040.00001000.00020000.00000000.sdmp, mfpmp.exe, 0000000F.00000002.2459249033.000000000339E000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: D:\T\BuildResults\bin\Release_x64\WebInstaller\AcroMiniServicesUpdater.pdb source: armsvc.exe, 00000001.00000003.1510211277.0000000001AB0000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\rmiregistry_objs\rmiregistry.pdb source: rmiregistry.exe.1.dr
                Source: Binary string: Spectrum.pdb source: Spectrum.exe.1.dr
                Source: Binary string: D:\a\_work\e\src\out\Release_x64\notification_helper.exe.pdb source: notification_click_helper.exe.1.dr
                Source: Binary string: MsSense.pdbGCTL source: armsvc.exe, 00000001.00000003.1257975412.0000000002040000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: D:\dbs\el\omr\Target\x64\ship\click2run\x-none\InspectorOfficeGadget.pdb source: armsvc.exe, 00000001.00000003.1827366220.00000000007F0000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: MsSense.pdb source: armsvc.exe, 00000001.00000003.1257975412.0000000002040000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: D:\T\Acrobat\Installers\ShowAppPickerForPDF\Release_x64\ShowAppPickerForPDF.pdb source: armsvc.exe, 00000001.00000003.1737871345.0000000002030000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1745300945.00000000019D0000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\tnameserv_objs\tnameserv.pdb source: tnameserv.exe.1.dr
                Source: Binary string: svchost.pdb source: mfpmp.exe, 0000000F.00000002.2419863216.0000000002CC8000.00000004.00000020.00020000.00000000.sdmp, mfpmp.exe, 0000000F.00000002.2472507538.000000000382C000.00000004.10000000.00040000.00000000.sdmp, JHafvhydouNovF.exe, 00000023.00000002.2459183149.00000000025BC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000026.00000002.1657376699.000000002146C000.00000004.80000000.00040000.00000000.sdmp
                Source: Binary string: WmiApSrv.pdbGCTL source: armsvc.exe, 00000001.00000003.1345776627.0000000002040000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: svchost.pdbUGP source: mfpmp.exe, 0000000F.00000002.2419863216.0000000002CC8000.00000004.00000020.00020000.00000000.sdmp, mfpmp.exe, 0000000F.00000002.2472507538.000000000382C000.00000004.10000000.00040000.00000000.sdmp, JHafvhydouNovF.exe, 00000023.00000002.2459183149.00000000025BC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000026.00000002.1657376699.000000002146C000.00000004.80000000.00040000.00000000.sdmp
                Source: Binary string: D:\T\BuildResults\bin\Release_x64\WCChromeNativeMessagingHost.pdb888 source: armsvc.exe, 00000001.00000003.1603124621.00000000019D0000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: D:\T\BuildResults\bin\Release_x64\AcrobatExe.pdb source: Acrobat.exe.1.dr
                Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\deploy\tmp\javacplexec\obj\javacpl.pdb source: javacpl.exe.1.dr
                Source: Binary string: Acrobat_SL.pdb((( source: armsvc.exe, 00000001.00000003.1433078419.0000000001FB0000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: Spectrum.pdbGCTL source: Spectrum.exe.1.dr
                Source: Binary string: locator.pdb source: armsvc.exe, 00000001.00000003.1242191061.0000000002040000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1255672902.0000000001FA0000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: DiagnosticsHub.StandardCollector.Service.pdbGCTL source: armsvc.exe, 00000001.00000003.1163574287.00000000020A0000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\rmid_objs\rmid.pdb source: rmid.exe.1.dr
                Source: Binary string: ADelRCP_Exec.pdbCC9 source: armsvc.exe, 00000001.00000003.1564810456.0000000001AC0000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: D:\T\BuildResults\bin\Release_x64\AcroBroker.pdb source: armsvc.exe, 00000001.00000003.1441681330.0000000001FB0000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: Acrobat_SL.pdb source: armsvc.exe, 00000001.00000003.1433078419.0000000001FB0000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: E:\PkgInstaller\base\ntsetup\SrvPack.Main\tools\sfxcab\sfxcab\objfre\i386\sfxcab.pdbU source: armsvc.exe, 00000001.00000003.1795693863.0000000000830000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1797481959.00000000007C0000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1807529055.0000000000700000.00000004.00001000.00020000.00000000.sdmp, WindowsInstaller-KB893803-v2-x86.exe.1.dr
                Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\deploy\tmp\javacplexec\obj\javacpl.pdb774 source: javacpl.exe.1.dr
                Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\java_objs\java.pdb source: java.exe.1.dr
                Source: Binary string: D:\T\BuildResults\bin\Release_x64\WebInstaller\AcroMiniServicesUpdater.pdbT source: armsvc.exe, 00000001.00000003.1510211277.0000000001AB0000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: C:\workspace\CR-Windows-x64-Client-Builder\x64\Release\CRWindowsClientService.pdbGG source: armsvc.exe, 00000001.00000003.1623851549.0000000002020000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: D:\T\BuildResults\bin\Release_x64\AcrobatInfo.pdb))) source: armsvc.exe, 00000001.00000003.1420784875.0000000001FB0000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\jjs_objs\jjs.pdb source: jjs.exe.1.dr
                Source: Binary string: mavinject32.pdb source: armsvc.exe, 00000001.00000003.1843574884.0000000000870000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1840114212.0000000000860000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: PerceptionSimulationService.pdbGCTL source: armsvc.exe, 00000001.00000003.1229499868.0000000002050000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: snmptrap.pdbGCTL source: armsvc.exe, 00000001.00000003.1268341299.0000000002040000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: maintenanceservice.pdb source: armsvc.exe, 00000001.00000003.1208471492.0000000002000000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: 64BitMAPIBroker.pdb source: armsvc.exe, 00000001.00000003.1698790977.0000000001FC0000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: msdtcexe.pdbGCTL source: armsvc.exe, 00000001.00000003.1213391981.0000000002070000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: D:\dbs\el\omr\Target\x64\ship\click2run\x-none\InspectorOfficeGadget.pdbY source: armsvc.exe, 00000001.00000003.1827366220.00000000007F0000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: PerfHost.pdbGCTL source: armsvc.exe, 00000001.00000003.1240594107.0000000001FB0000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1235751119.0000000002040000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1236521918.0000000002050000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: C:\Work\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: JHafvhydouNovF.exe, 0000000D.00000002.2405366340.000000000092F000.00000002.00000001.01000000.00000007.sdmp, JHafvhydouNovF.exe, 00000023.00000002.2452069883.000000000092F000.00000002.00000001.01000000.00000007.sdmp
                Source: Binary string: E:\jenkins\workspace\NGL_WORKFLOW\build\master\win64\Release\Acrobat\project\win\ngl-workflow\x64\Release (Acrobat)\adobe_licensing_wf_helper_acro.pdb source: armsvc.exe, 00000001.00000003.1676598207.0000000001FB0000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: D:\T\Acrobat\Installers\ADNotificationManager\Viewer Release_x64\ADNotificationManager.pdb source: ADNotificationManager.exe.1.dr
                Source: Binary string: D:\T\BuildResults\bin\Release_x64\WCChromeNativeMessagingHost.pdb source: armsvc.exe, 00000001.00000003.1603124621.00000000019D0000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\rmid_objs\rmid.pdb source: rmid.exe.1.dr
                Source: Binary string: C:\workspace\CR-Windows-x64-Client-Builder\x64\Release\CRWindowsClientService.pdb source: armsvc.exe, 00000001.00000003.1623851549.0000000002020000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: PerfHost.pdb source: armsvc.exe, 00000001.00000003.1240594107.0000000001FB0000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1235751119.0000000002040000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1236521918.0000000002050000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: D:\T\BuildResults\bin\Release\Plug_ins\pi_brokers\32BitMAPIBroker.pdb@@ source: armsvc.exe, 00000001.00000003.1683926901.0000000001FC0000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: C:\work\p4\splinters\Splinters\S\BuildResults\bin\Win32\ReaderRelease\FullTrustNotifier\FullTrustNotifier.pdb source: armsvc.exe, 00000001.00000003.1725592296.0000000001FC0000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: MFPMP.pdb source: svchost.exe, 00000002.00000003.1286446437.0000000002E1B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1287237079.0000000002E1A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1287309124.0000000002E24000.00000004.00000020.00020000.00000000.sdmp, JHafvhydouNovF.exe, 0000000D.00000003.1692984351.0000000001054000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\klist_objs\klist.pdb source: klist.exe.1.dr
                Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\tnameserv_objs\tnameserv.pdb source: tnameserv.exe.1.dr
                Source: Binary string: maintenanceservice.pdb` source: armsvc.exe, 00000001.00000003.1208471492.0000000002000000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: D:\T\Acrobat\Installers\ShowAppPickerForPDF\Release_x64\ShowAppPickerForPDF.pdb$$ source: armsvc.exe, 00000001.00000003.1737871345.0000000002030000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1745300945.00000000019D0000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdbUGP source: Request for Quotation 2170032137 PDF.exe, 00000000.00000003.1149607815.0000000004080000.00000004.00001000.00020000.00000000.sdmp, Request for Quotation 2170032137 PDF.exe, 00000000.00000003.1153123563.0000000004D70000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1224739065.0000000003300000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1319947125.0000000003500000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1319947125.000000000369E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1220845297.0000000003100000.00000004.00000020.00020000.00000000.sdmp, mfpmp.exe, 0000000F.00000003.1319850265.0000000002EA7000.00000004.00000020.00020000.00000000.sdmp, mfpmp.exe, 0000000F.00000003.1323704812.0000000003055000.00000004.00000020.00020000.00000000.sdmp, mfpmp.exe, 0000000F.00000002.2459249033.0000000003200000.00000040.00001000.00020000.00000000.sdmp, mfpmp.exe, 0000000F.00000002.2459249033.000000000339E000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: TieringEngineService.pdb source: armsvc.exe, 00000001.00000003.1294714675.0000000002040000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: TieringEngineService.pdbGCTL source: armsvc.exe, 00000001.00000003.1294714675.0000000002040000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: WmiApSrv.pdb source: armsvc.exe, 00000001.00000003.1345776627.0000000002040000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: D:\T\BuildResults\bin\Release_x64\Eula.pdb source: armsvc.exe, 00000001.00000003.1633923544.0000000001AB0000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: D:\a\_work\e\src\out\Release_x64\notification_helper.exe.pdbOGP source: notification_click_helper.exe.1.dr
                Source: Binary string: ALG.pdb source: Request for Quotation 2170032137 PDF.exe, 00000000.00000003.1147493593.0000000003F20000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\rmiregistry_objs\rmiregistry.pdb source: rmiregistry.exe.1.dr
                Source: Binary string: msdtcexe.pdb source: armsvc.exe, 00000001.00000003.1213391981.0000000002070000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: DiagnosticsHub.StandardCollector.Service.pdb source: armsvc.exe, 00000001.00000003.1163574287.00000000020A0000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: ALG.pdbGCTL source: Request for Quotation 2170032137 PDF.exe, 00000000.00000003.1147493593.0000000003F20000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: PresentationFontCache.pdbHt^t Pt_CorExeMainmscoree.dll source: armsvc.exe, 00000001.00000003.1173376977.0000000002090000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: locator.pdbGCTL source: armsvc.exe, 00000001.00000003.1242191061.0000000002040000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1255672902.0000000001FA0000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: D:\T\BuildResults\bin\Release_x64\AcroBroker.pdbTTT source: armsvc.exe, 00000001.00000003.1441681330.0000000001FB0000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: D:\T\Acrobat\Installers\ADNotificationManager\Viewer Release_x64\ADNotificationManager.pdb22 source: ADNotificationManager.exe.1.dr
                Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\klist_objs\klist.pdb source: klist.exe.1.dr
                Source: Binary string: ssh-agent.pdbX source: armsvc.exe, 00000001.00000003.1289641035.0000000002040000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: vssvc.pdbUGP source: VSSVC.exe.1.dr
                Source: Binary string: AppVShNotify.pdb source: armsvc.exe, 00000001.00000003.1823458268.00000000007B0000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: snmptrap.pdb source: armsvc.exe, 00000001.00000003.1268341299.0000000002040000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: D:\T\BuildResults\bin\Release\Plug_ins\pi_brokers\32BitMAPIBroker.pdb source: armsvc.exe, 00000001.00000003.1683926901.0000000001FC0000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: D:\T\BuildResults\bin\Release_x64\Eula.pdb888 source: armsvc.exe, 00000001.00000003.1633923544.0000000001AB0000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: AppVShNotify.pdbGCTL source: armsvc.exe, 00000001.00000003.1823458268.00000000007B0000.00000004.00001000.00020000.00000000.sdmp
                Source: alg.exe.0.drStatic PE information: 0xF67E8745 [Tue Jan 18 10:28:21 2101 UTC]
                Source: C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exeCode function: 0_2_00404B37 LoadLibraryA,GetProcAddress,0_2_00404B37
                Source: AppVClient.exe.0.drStatic PE information: real checksum: 0xcd10f should be: 0x1574a2
                Source: armsvc.exe.0.drStatic PE information: section name: .didat
                Source: alg.exe.0.drStatic PE information: section name: .didat
                Source: os_update_handler.exe.1.drStatic PE information: section name: .gxfg
                Source: os_update_handler.exe.1.drStatic PE information: section name: .retplne
                Source: os_update_handler.exe.1.drStatic PE information: section name: CPADinfo
                Source: os_update_handler.exe.1.drStatic PE information: section name: LZMADEC
                Source: os_update_handler.exe.1.drStatic PE information: section name: _RDATA
                Source: chrome_proxy.exe.1.drStatic PE information: section name: .gxfg
                Source: chrome_proxy.exe.1.drStatic PE information: section name: .retplne
                Source: chrome_proxy.exe.1.drStatic PE information: section name: _RDATA
                Source: crashreporter.exe.1.drStatic PE information: section name: .00cfg
                Source: crashreporter.exe.1.drStatic PE information: section name: .voltbl
                Source: default-browser-agent.exe.1.drStatic PE information: section name: .00cfg
                Source: default-browser-agent.exe.1.drStatic PE information: section name: .voltbl
                Source: firefox.exe.1.drStatic PE information: section name: .00cfg
                Source: firefox.exe.1.drStatic PE information: section name: .freestd
                Source: firefox.exe.1.drStatic PE information: section name: .retplne
                Source: firefox.exe.1.drStatic PE information: section name: .voltbl
                Source: maintenanceservice.exe.1.drStatic PE information: section name: .00cfg
                Source: maintenanceservice.exe.1.drStatic PE information: section name: .voltbl
                Source: maintenanceservice.exe.1.drStatic PE information: section name: _RDATA
                Source: minidump-analyzer.exe.1.drStatic PE information: section name: .00cfg
                Source: minidump-analyzer.exe.1.drStatic PE information: section name: .voltbl
                Source: pingsender.exe.1.drStatic PE information: section name: .00cfg
                Source: pingsender.exe.1.drStatic PE information: section name: .voltbl
                Source: plugin-container.exe.1.drStatic PE information: section name: .00cfg
                Source: plugin-container.exe.1.drStatic PE information: section name: .voltbl
                Source: private_browsing.exe.1.drStatic PE information: section name: .00cfg
                Source: private_browsing.exe.1.drStatic PE information: section name: .voltbl
                Source: updater.exe.1.drStatic PE information: section name: CPADinfo
                Source: updater.exe.1.drStatic PE information: section name: malloc_h
                Source: updater.exe0.1.drStatic PE information: section name: .00cfg
                Source: updater.exe0.1.drStatic PE information: section name: .voltbl
                Source: updater.exe0.1.drStatic PE information: section name: _RDATA
                Source: elevation_service.exe.1.drStatic PE information: section name: .00cfg
                Source: elevation_service.exe.1.drStatic PE information: section name: .gxfg
                Source: elevation_service.exe.1.drStatic PE information: section name: .retplne
                Source: elevation_service.exe.1.drStatic PE information: section name: _RDATA
                Source: elevation_service.exe.1.drStatic PE information: section name: malloc_h
                Source: maintenanceservice.exe0.1.drStatic PE information: section name: .00cfg
                Source: maintenanceservice.exe0.1.drStatic PE information: section name: .voltbl
                Source: maintenanceservice.exe0.1.drStatic PE information: section name: _RDATA
                Source: msdtc.exe.1.drStatic PE information: section name: .didat
                Source: msiexec.exe.1.drStatic PE information: section name: .didat
                Source: FXSSVC.exe.1.drStatic PE information: section name: .didat
                Source: elevation_service.exe0.1.drStatic PE information: section name: .gxfg
                Source: elevation_service.exe0.1.drStatic PE information: section name: .retplne
                Source: elevation_service.exe0.1.drStatic PE information: section name: _RDATA
                Source: MsSense.exe.1.drStatic PE information: section name: .didat
                Source: Spectrum.exe.1.drStatic PE information: section name: .didat
                Source: TieringEngineService.exe.1.drStatic PE information: section name: .didat
                Source: vds.exe.1.drStatic PE information: section name: .didat
                Source: unpack200.exe.1.drStatic PE information: section name: .00cfg
                Source: ie_to_edge_stub.exe.1.drStatic PE information: section name: .00cfg
                Source: ie_to_edge_stub.exe.1.drStatic PE information: section name: .gxfg
                Source: ie_to_edge_stub.exe.1.drStatic PE information: section name: .retplne
                Source: ie_to_edge_stub.exe.1.drStatic PE information: section name: _RDATA
                Source: cookie_exporter.exe.1.drStatic PE information: section name: .00cfg
                Source: cookie_exporter.exe.1.drStatic PE information: section name: .gxfg
                Source: cookie_exporter.exe.1.drStatic PE information: section name: .retplne
                Source: cookie_exporter.exe.1.drStatic PE information: section name: _RDATA
                Source: identity_helper.exe.1.drStatic PE information: section name: .00cfg
                Source: identity_helper.exe.1.drStatic PE information: section name: .gxfg
                Source: identity_helper.exe.1.drStatic PE information: section name: .retplne
                Source: identity_helper.exe.1.drStatic PE information: section name: _RDATA
                Source: identity_helper.exe.1.drStatic PE information: section name: malloc_h
                Source: setup.exe.1.drStatic PE information: section name: .00cfg
                Source: setup.exe.1.drStatic PE information: section name: .gxfg
                Source: setup.exe.1.drStatic PE information: section name: .retplne
                Source: setup.exe.1.drStatic PE information: section name: LZMADEC
                Source: setup.exe.1.drStatic PE information: section name: _RDATA
                Source: setup.exe.1.drStatic PE information: section name: malloc_h
                Source: msedgewebview2.exe.1.drStatic PE information: section name: .00cfg
                Source: msedgewebview2.exe.1.drStatic PE information: section name: .gxfg
                Source: msedgewebview2.exe.1.drStatic PE information: section name: .retplne
                Source: msedgewebview2.exe.1.drStatic PE information: section name: CPADinfo
                Source: msedgewebview2.exe.1.drStatic PE information: section name: LZMADEC
                Source: msedgewebview2.exe.1.drStatic PE information: section name: _RDATA
                Source: msedgewebview2.exe.1.drStatic PE information: section name: malloc_h
                Source: VSSVC.exe.1.drStatic PE information: section name: .didat
                Source: WmiApSrv.exe.1.drStatic PE information: section name: .didat
                Source: wmpnetwk.exe.1.drStatic PE information: section name: .didat
                Source: SearchIndexer.exe.1.drStatic PE information: section name: .didat
                Source: msedge_proxy.exe.1.drStatic PE information: section name: .00cfg
                Source: msedge_proxy.exe.1.drStatic PE information: section name: .gxfg
                Source: msedge_proxy.exe.1.drStatic PE information: section name: .retplne
                Source: msedge_proxy.exe.1.drStatic PE information: section name: _RDATA
                Source: msedge_proxy.exe.1.drStatic PE information: section name: malloc_h
                Source: msedge_pwa_launcher.exe.1.drStatic PE information: section name: .00cfg
                Source: msedge_pwa_launcher.exe.1.drStatic PE information: section name: .gxfg
                Source: msedge_pwa_launcher.exe.1.drStatic PE information: section name: .retplne
                Source: msedge_pwa_launcher.exe.1.drStatic PE information: section name: LZMADEC
                Source: msedge_pwa_launcher.exe.1.drStatic PE information: section name: _RDATA
                Source: msedge_pwa_launcher.exe.1.drStatic PE information: section name: malloc_h
                Source: notification_click_helper.exe.1.drStatic PE information: section name: .00cfg
                Source: notification_click_helper.exe.1.drStatic PE information: section name: .gxfg
                Source: notification_click_helper.exe.1.drStatic PE information: section name: .retplne
                Source: notification_click_helper.exe.1.drStatic PE information: section name: CPADinfo
                Source: notification_click_helper.exe.1.drStatic PE information: section name: _RDATA
                Source: notification_click_helper.exe.1.drStatic PE information: section name: malloc_h
                Source: pwahelper.exe.1.drStatic PE information: section name: .00cfg
                Source: pwahelper.exe.1.drStatic PE information: section name: .gxfg
                Source: pwahelper.exe.1.drStatic PE information: section name: .retplne
                Source: pwahelper.exe.1.drStatic PE information: section name: _RDATA
                Source: pwahelper.exe.1.drStatic PE information: section name: malloc_h
                Source: C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exeCode function: 0_2_00428945 push ecx; ret 0_2_00428958
                Source: C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exeCode function: 0_2_00402F12 push es; retf 0_2_00402F13
                Source: C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exeCode function: 0_2_00A991F4 push 00A98E1Ah; ret 0_2_00A99153
                Source: C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exeCode function: 0_2_00A9B108 push 00A9B053h; ret 0_2_00A9B0FE
                Source: C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exeCode function: 0_2_00A9B108 push 00A9B682h; ret 0_2_00A9B633
                Source: C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exeCode function: 0_2_00A98140 push 00A95D22h; ret 0_2_00A95CB0
                Source: C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exeCode function: 0_2_00A98140 push 00A95C60h; ret 0_2_00A95D09
                Source: C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exeCode function: 0_2_00A98140 push 00A95FAEh; ret 0_2_00A95F1A
                Source: C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exeCode function: 0_2_00A98140 push 00A95EE7h; ret 0_2_00A95F39
                Source: C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exeCode function: 0_2_00A98140 push 00A962B2h; ret 0_2_00A9604C
                Source: C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exeCode function: 0_2_00A98140 push 00A9631Bh; ret 0_2_00A9639A
                Source: C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exeCode function: 0_2_00A98140 push 00A963FFh; ret 0_2_00A9642E
                Source: C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exeCode function: 0_2_00A98140 push 00A96C2Dh; ret 0_2_00A96C55
                Source: C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exeCode function: 0_2_00A98140 push 00A96D50h; ret 0_2_00A96CA5
                Source: C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exeCode function: 0_2_00A98140 push 00A96F50h; ret 0_2_00A96D60
                Source: C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exeCode function: 0_2_00A98140 push 00A96FDFh; ret 0_2_00A96DE5
                Source: C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exeCode function: 0_2_00A98140 push 00A96D86h; ret 0_2_00A96E6E
                Source: C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exeCode function: 0_2_00A98140 push 00A96EFDh; ret 0_2_00A96E8A
                Source: C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exeCode function: 0_2_00A98140 push 00A97342h; ret 0_2_00A96EAE
                Source: C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exeCode function: 0_2_00A98140 push 00A971D0h; ret 0_2_00A96EE0
                Source: C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exeCode function: 0_2_00A98140 push 00A96F98h; ret 0_2_00A96F15
                Source: C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exeCode function: 0_2_00A98140 push 00A97059h; ret 0_2_00A96F4B
                Source: C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exeCode function: 0_2_00A98140 push 00A9725Ch; ret 0_2_00A970C7
                Source: C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exeCode function: 0_2_00A98140 push 00A97232h; ret 0_2_00A9718A
                Source: C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exeCode function: 0_2_00A98140 push 00A96CDAh; ret 0_2_00A971FE
                Source: C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exeCode function: 0_2_00A98140 push 00A96E99h; ret 0_2_00A972B4
                Source: C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exeCode function: 0_2_00A98140 push 00A96DE7h; ret 0_2_00A972BE
                Source: C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exeCode function: 0_2_00A98140 push 00A96D33h; ret 0_2_00A97341
                Source: C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exeCode function: 0_2_00A98140 push 00A9781Ah; ret 0_2_00A976FA
                Source: C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exeCode function: 0_2_00A98140 push 00A9787Ah; ret 0_2_00A97715
                Source: C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exeCode function: 0_2_00A98140 push 00A98165h; ret 0_2_00A98198
                Source: Request for Quotation 2170032137 PDF.exeStatic PE information: section name: .reloc entropy: 7.920453182501607
                Source: AppVClient.exe.0.drStatic PE information: section name: .reloc entropy: 7.923571995967808
                Source: os_update_handler.exe.1.drStatic PE information: section name: .reloc entropy: 7.931207486769806
                Source: chrome_proxy.exe.1.drStatic PE information: section name: .reloc entropy: 7.928344527718222
                Source: jusched.exe.1.drStatic PE information: section name: .reloc entropy: 7.924938017564387
                Source: default-browser-agent.exe.1.drStatic PE information: section name: .reloc entropy: 7.929306088730131
                Source: firefox.exe.1.drStatic PE information: section name: .reloc entropy: 7.926487500786156
                Source: minidump-analyzer.exe.1.drStatic PE information: section name: .reloc entropy: 7.92234852743469
                Source: updater.exe.1.drStatic PE information: section name: .reloc entropy: 7.870914410967208
                Source: elevation_service.exe.1.drStatic PE information: section name: .reloc entropy: 7.933948885824905
                Source: FXSSVC.exe.1.drStatic PE information: section name: .reloc entropy: 7.930073173603245
                Source: elevation_service.exe0.1.drStatic PE information: section name: .reloc entropy: 7.932987630420484
                Source: SensorDataService.exe.1.drStatic PE information: section name: .reloc entropy: 7.922524493785831
                Source: Spectrum.exe.1.drStatic PE information: section name: .reloc entropy: 7.933292641190903
                Source: AgentService.exe.1.drStatic PE information: section name: .reloc entropy: 7.924357475306183
                Source: vds.exe.1.drStatic PE information: section name: .reloc entropy: 7.928803297486964
                Source: identity_helper.exe.1.drStatic PE information: section name: .reloc entropy: 7.928231938365141
                Source: setup.exe.1.drStatic PE information: section name: .reloc entropy: 7.932272042224054
                Source: msedgewebview2.exe.1.drStatic PE information: section name: .reloc entropy: 7.923539076942259
                Source: VSSVC.exe.1.drStatic PE information: section name: .reloc entropy: 7.927142190372757
                Source: wbengine.exe.1.drStatic PE information: section name: .reloc entropy: 7.929010174899763
                Source: wmpnetwk.exe.1.drStatic PE information: section name: .reloc entropy: 7.93481584351523
                Source: SearchIndexer.exe.1.drStatic PE information: section name: .reloc entropy: 7.93377705186122
                Source: msedge_proxy.exe.1.drStatic PE information: section name: .reloc entropy: 7.9298618434166395
                Source: msedge_pwa_launcher.exe.1.drStatic PE information: section name: .reloc entropy: 7.934256955724041
                Source: notification_click_helper.exe.1.drStatic PE information: section name: .reloc entropy: 7.931767432937238
                Source: pwahelper.exe.1.drStatic PE information: section name: .reloc entropy: 7.9284064462928345

                Persistence and Installation Behavior

                barindex
                Drops executable to a common third party application directory
                Source: C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
                Source: C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
                Source: C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
                Source: C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
                Source: C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
                Source: C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
                Source: C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
                Source: C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
                Source: C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
                Source: C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
                Source: C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
                Source: C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
                Source: C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
                Source: C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\crashreporter.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\crashreporter.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\crashreporter.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\crashreporter.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\crashreporter.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\crashreporter.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\crashreporter.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\crashreporter.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\crashreporter.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\crashreporter.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\crashreporter.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\crashreporter.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\crashreporter.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\crashreporter.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\default-browser-agent.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\default-browser-agent.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\default-browser-agent.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\default-browser-agent.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\default-browser-agent.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\default-browser-agent.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\default-browser-agent.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\default-browser-agent.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\default-browser-agent.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\default-browser-agent.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\default-browser-agent.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\firefox.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\firefox.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\firefox.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\firefox.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\firefox.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\firefox.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\firefox.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\firefox.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\firefox.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\firefox.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\firefox.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\maintenanceservice.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\maintenanceservice.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\maintenanceservice.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\maintenanceservice.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\maintenanceservice.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\maintenanceservice.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\maintenanceservice.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\maintenanceservice.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\maintenanceservice.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\maintenanceservice.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\maintenanceservice.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\maintenanceservice.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\maintenanceservice.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\maintenanceservice.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\pingsender.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\pingsender.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\pingsender.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\pingsender.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\pingsender.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\pingsender.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\pingsender.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\pingsender.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\pingsender.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\pingsender.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\pingsender.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\pingsender.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\pingsender.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\pingsender.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\plugin-container.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\plugin-container.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\plugin-container.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\plugin-container.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\plugin-container.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\plugin-container.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\plugin-container.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\plugin-container.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\plugin-container.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\plugin-container.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\plugin-container.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\plugin-container.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\plugin-container.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\plugin-container.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\private_browsing.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\private_browsing.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\private_browsing.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\private_browsing.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\private_browsing.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\private_browsing.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\private_browsing.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\private_browsing.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\private_browsing.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\private_browsing.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\private_browsing.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\private_browsing.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\private_browsing.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\private_browsing.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\updater.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\updater.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\updater.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\updater.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\updater.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\updater.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\updater.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\updater.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\updater.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\updater.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\updater.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\updater.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\updater.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\updater.exeJump to behavior
                Infects executable files (exe, dll, sys, html)
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Windows\System32\wbem\WmiApSrv.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\Installer\setup.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Mozilla Firefox\pingsender.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Windows\System32\vds.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exeJump to behavior
                Source: C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exeSystem file written: C:\Windows\System32\alg.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\7-Zip\7zFM.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Windows\System32\snmptrap.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Windows\System32\Spectrum.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Windows Media Player\wmpnetwk.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Windows\System32\Locator.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files (x86)\Google\GoogleUpdater\135.0.7023.0\updater.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Mozilla Firefox\default-browser-agent.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\7-Zip\7z.exeJump to behavior
                Source: C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exeSystem file written: C:\Windows\System32\AppVClient.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Mozilla Firefox\crashreporter.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Windows\SysWOW64\perfhost.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\7-Zip\7zG.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Windows\System32\msiexec.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\elevation_service.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Windows\System32\VSSVC.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Windows\System32\wbengine.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\os_update_handler.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Windows\System32\SearchIndexer.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\Installer\chrmstp.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Mozilla Firefox\private_browsing.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Mozilla Firefox\maintenanceservice.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\notification_helper.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Windows\System32\TieringEngineService.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Mozilla Firefox\firefox.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files (x86)\AutoIt3\Au3Info.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Mozilla Firefox\updater.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files (x86)\AutoIt3\Au3Check.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\chrome_pwa_launcher.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Windows\System32\AgentService.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\7-Zip\Uninstall.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\elevated_tracing_service.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Google\Chrome\Application\chrome_proxy.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Windows\System32\FXSSVC.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exeJump to behavior
                Source: C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exeSystem file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\officesvcmgr.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Windows\System32\OpenSSH\ssh-agent.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Windows\System32\SensorDataService.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Windows\System32\msdtc.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Mozilla Firefox\plugin-container.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Java\jre-1.8\bin\servertool.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\Mozilla Firefox\pingsender.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXEJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Windows\System32\vds.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Windows\System32\snmptrap.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Windows\System32\Spectrum.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\Windows Media Player\wmpnetwk.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Windows\System32\Locator.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\Mozilla Firefox\default-browser-agent.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Google\GoogleUpdater\135.0.7023.0\updater.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\cookie_exporter.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\7-Zip\7z.exeJump to dropped file
                Source: C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exeFile created: C:\Windows\System32\AppVClient.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\Mozilla Firefox\crashreporter.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Windows\SysWOW64\perfhost.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\7-Zip\7zG.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Windows\System32\msiexec.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Java\jre-1.8\bin\keytool.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\Google\Chrome\Application\134.0.6998.36\elevation_service.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\Google\Chrome\Application\134.0.6998.36\os_update_handler.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\notification_click_helper.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_proxy.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\Mozilla Firefox\maintenanceservice.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\pwahelper.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\Mozilla Firefox\firefox.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Windows\System32\TieringEngineService.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Microsoft\Edge\Application\pwahelper.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\Mozilla Firefox\updater.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Java\jre-1.8\bin\kinit.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\AutoIt3\Au3Check.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Java\jre-1.8\bin\policytool.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\7-Zip\Uninstall.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Windows\System32\FXSSVC.exeJump to dropped file
                Source: C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exeFile created: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Java\jre-1.8\bin\rmiregistry.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Integration\Addons\OneDriveSetup.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Windows\System32\SensorDataService.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXEJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Windows\System32\msdtc.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Java\jre-1.8\bin\java-rmi.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Windows\System32\wbem\WmiApSrv.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\Google\Chrome\Application\134.0.6998.36\Installer\setup.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\Mozilla Firefox\minidump-analyzer.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedgewebview2.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Java\jre-1.8\bin\pack200.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Java\jre-1.8\bin\jabswitch.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exeJump to dropped file
                Source: C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exeFile created: C:\Windows\System32\alg.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Java\jre-1.8\bin\rmid.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\7-Zip\7zFM.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Java\jre-1.8\bin\klist.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Java\jre-1.8\bin\tnameserv.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Windows\System32\VSSVC.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Windows\System32\wbengine.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Windows\System32\SearchIndexer.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\Google\Chrome\Application\134.0.6998.36\Installer\chrmstp.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\Mozilla Firefox\private_browsing.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\Google\Chrome\Application\134.0.6998.36\notification_helper.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Java\jre-1.8\bin\jjs.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\AutoIt3\Au3Info.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Office16\AppSharingHookController.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\Installer\setup.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Java\jre-1.8\bin\orbd.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\Google\Chrome\Application\134.0.6998.36\chrome_pwa_launcher.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Windows\System32\AgentService.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\Google\Chrome\Application\chrome_proxy.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\Google\Chrome\Application\134.0.6998.36\elevated_tracing_service.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_pwa_launcher.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\officesvcmgr.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Java\jre-1.8\bin\ktab.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Windows\System32\OpenSSH\ssh-agent.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\Mozilla Firefox\plugin-container.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Windows\System32\snmptrap.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Windows\System32\Spectrum.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Windows\System32\Locator.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Windows\System32\AgentService.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Windows\System32\VSSVC.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Windows\System32\wbengine.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Windows\System32\wbem\WmiApSrv.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Windows\System32\SearchIndexer.exeJump to dropped file
                Source: C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exeFile created: C:\Windows\System32\AppVClient.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Windows\System32\FXSSVC.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Windows\System32\TieringEngineService.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Windows\System32\vds.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Windows\System32\OpenSSH\ssh-agent.exeJump to dropped file
                Source: C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exeFile created: C:\Windows\System32\alg.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Windows\SysWOW64\perfhost.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Windows\System32\msiexec.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Windows\System32\SensorDataService.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Windows\System32\msdtc.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exeJump to dropped file

                Hooking and other Techniques for Hiding and Protection

                barindex
                Creates files inside the volume driver (system volume information)
                Source: C:\Windows\System32\TieringEngineService.exeFile created: C:\System Volume Information\Heat\
                Source: C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exeCode function: 0_2_004048D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_004048D7
                Source: C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exeCode function: 0_2_00485376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_00485376
                Source: C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exeCode function: 0_2_00423187 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00423187
                Source: C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\mfpmp.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\mfpmp.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\mfpmp.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\mfpmp.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\mfpmp.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

                Malware Analysis System Evasion

                barindex
                Switches to a custom stack to bypass stack traces
                Source: C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exeAPI/Special instruction interceptor: Address: BFB0F4
                Source: C:\Windows\SysWOW64\mfpmp.exeAPI/Special instruction interceptor: Address: 7FFCC372D324
                Source: C:\Windows\SysWOW64\mfpmp.exeAPI/Special instruction interceptor: Address: 7FFCC372D7E4
                Source: C:\Windows\SysWOW64\mfpmp.exeAPI/Special instruction interceptor: Address: 7FFCC372D944
                Source: C:\Windows\SysWOW64\mfpmp.exeAPI/Special instruction interceptor: Address: 7FFCC372D504
                Source: C:\Windows\SysWOW64\mfpmp.exeAPI/Special instruction interceptor: Address: 7FFCC372D544
                Source: C:\Windows\SysWOW64\mfpmp.exeAPI/Special instruction interceptor: Address: 7FFCC372D1E4
                Source: C:\Windows\SysWOW64\mfpmp.exeAPI/Special instruction interceptor: Address: 7FFCC3730154
                Source: C:\Windows\SysWOW64\mfpmp.exeAPI/Special instruction interceptor: Address: 7FFCC372DA44
                Source: C:\Windows\System32\msdtc.exeWindow / User API: threadDelayed 491Jump to behavior
                Source: C:\Windows\SysWOW64\perfhost.exeWindow / User API: threadDelayed 7493Jump to behavior
                Source: C:\Windows\SysWOW64\perfhost.exeWindow / User API: threadDelayed 2505Jump to behavior
                Source: C:\Windows\SysWOW64\mfpmp.exeWindow / User API: threadDelayed 4448
                Source: C:\Windows\SysWOW64\mfpmp.exeWindow / User API: threadDelayed 4592
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\servertool.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\Mozilla Firefox\pingsender.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXEJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\Windows Media Player\wmpnetwk.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\Mozilla Firefox\default-browser-agent.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Google\GoogleUpdater\135.0.7023.0\updater.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\cookie_exporter.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\7-Zip\7z.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeJump to dropped file
                Source: C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exeDropped PE file which has not been started: C:\Windows\System32\AppVClient.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\Mozilla Firefox\crashreporter.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\7-Zip\7zG.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Windows\System32\msiexec.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\keytool.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\Google\Chrome\Application\134.0.6998.36\elevation_service.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\Google\Chrome\Application\134.0.6998.36\os_update_handler.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\notification_click_helper.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_proxy.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\Mozilla Firefox\maintenanceservice.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\pwahelper.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\Mozilla Firefox\firefox.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\pwahelper.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\Mozilla Firefox\updater.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\kinit.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Au3Check.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\policytool.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\7-Zip\Uninstall.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\rmiregistry.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Integration\Addons\OneDriveSetup.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXEJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\java-rmi.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Windows\System32\wbem\WmiApSrv.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\Google\Chrome\Application\134.0.6998.36\Installer\setup.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\Mozilla Firefox\minidump-analyzer.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedgewebview2.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\pack200.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\jabswitch.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\rmid.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\7-Zip\7zFM.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\klist.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\tnameserv.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Windows\System32\VSSVC.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Windows\System32\SearchIndexer.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\Google\Chrome\Application\134.0.6998.36\Installer\chrmstp.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\Mozilla Firefox\private_browsing.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\Google\Chrome\Application\134.0.6998.36\notification_helper.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Au3Info.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\jjs.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\AppSharingHookController.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\Installer\setup.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\orbd.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\Google\Chrome\Application\134.0.6998.36\chrome_pwa_launcher.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\Google\Chrome\Application\134.0.6998.36\elevated_tracing_service.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\Google\Chrome\Application\chrome_proxy.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_pwa_launcher.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\officesvcmgr.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\ktab.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\Mozilla Firefox\plugin-container.exeJump to dropped file
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exeJump to dropped file
                Source: C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_0-211532
                Source: C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_0-213352
                Source: C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exeAPI coverage: 5.5 %
                Source: C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exe TID: 7772Thread sleep time: -30000s >= -30000sJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe TID: 7824Thread sleep time: -630000s >= -30000sJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe TID: 7816Thread sleep time: -30000s >= -30000sJump to behavior
                Source: C:\Windows\System32\msdtc.exe TID: 7400Thread sleep count: 491 > 30Jump to behavior
                Source: C:\Windows\System32\msdtc.exe TID: 7400Thread sleep time: -49100s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\perfhost.exe TID: 2624Thread sleep count: 7493 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\perfhost.exe TID: 2624Thread sleep time: -74930000s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\perfhost.exe TID: 2624Thread sleep count: 2505 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\perfhost.exe TID: 2624Thread sleep time: -25050000s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\mfpmp.exe TID: 8668Thread sleep count: 4448 > 30
                Source: C:\Windows\SysWOW64\mfpmp.exe TID: 8668Thread sleep time: -8896000s >= -30000s
                Source: C:\Windows\SysWOW64\mfpmp.exe TID: 8668Thread sleep count: 4592 > 30
                Source: C:\Windows\SysWOW64\mfpmp.exe TID: 8668Thread sleep time: -9184000s >= -30000s
                Source: C:\Program Files (x86)\nLQOfBOrCOieKElqUulLbIwvUAfUlxrHQzbHjlZBUUQ\JHafvhydouNovF.exe TID: 8808Thread sleep time: -30000s >= -30000s
                Source: C:\Windows\SysWOW64\perfhost.exeLast function: Thread delayed
                Source: C:\Windows\SysWOW64\perfhost.exeLast function: Thread delayed
                Source: C:\Windows\SysWOW64\mfpmp.exeLast function: Thread delayed
                Source: C:\Windows\SysWOW64\mfpmp.exeLast function: Thread delayed
                Source: C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exeCode function: 0_2_0046445A GetFileAttributesW,FindFirstFileW,FindClose,0_2_0046445A
                Source: C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exeCode function: 0_2_0046C6D1 FindFirstFileW,FindClose,0_2_0046C6D1
                Source: C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exeCode function: 0_2_0046C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_0046C75C
                Source: C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exeCode function: 0_2_0046EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0046EF95
                Source: C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exeCode function: 0_2_0046F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0046F0F2
                Source: C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exeCode function: 0_2_0046F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0046F3F3
                Source: C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exeCode function: 0_2_004637EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_004637EF
                Source: C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exeCode function: 0_2_00463B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00463B12
                Source: C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exeCode function: 0_2_0046BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0046BCBC
                Source: C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exeCode function: 0_2_004049A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_004049A0
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile opened: C:\Program Files (x86)\common files\Oracle\Java\javapath\java.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile opened: C:\Program Files (x86)\common files\Oracle\Java\javapath\javaw.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile opened: C:\Program Files (x86)\common files\Oracle\Java\javapath\javaws.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile opened: C:\Program Files (x86)\common files\Oracle\Java\javapath_target_749031\java.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile opened: C:\Program Files (x86)\common files\Oracle\Java\javapath_target_749031\javaw.exeJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile opened: C:\Program Files (x86)\common files\Oracle\Java\javapath_target_749031\javaws.exeJump to behavior
                Source: SensorDataService.exe, 00000013.00000003.1367610128.0000000000497000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: pISCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
                Source: Spectrum.exe, 00000018.00000003.1288270354.0000000000682000.00000004.00000020.00020000.00000000.sdmp, Spectrum.exe, 00000018.00000003.1288360929.0000000000682000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft Hyper-V Generation Countersc%;Microsoft Hyper-V Generation Counter24h<4h
                Source: Spectrum.exe, 00000018.00000003.1288270354.0000000000672000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: BBSCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
                Source: Spectrum.exe, 00000018.00000003.1288414057.0000000000693000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: iSCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
                Source: mfpmp.exe, 0000000F.00000002.2419863216.0000000002CC8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllS
                Source: SensorDataService.exe, 00000013.00000003.1268427492.000000000048E000.00000004.00000020.00020000.00000000.sdmp, SensorDataService.exe, 00000013.00000003.1268596489.000000000048E000.00000004.00000020.00020000.00000000.sdmp, Spectrum.exe, 00000018.00000003.1286142601.0000000000682000.00000004.00000020.00020000.00000000.sdmp, Spectrum.exe, 00000018.00000003.1286254522.0000000000682000.00000004.00000020.00020000.00000000.sdmp, Spectrum.exe, 00000018.00000003.1286387994.0000000000685000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Drivertion Infrastructure Driver
                Source: Spectrum.exe, 00000018.00000003.1286387994.0000000000685000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: hSCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
                Source: Request for Quotation 2170032137 PDF.exe, 00000000.00000002.1163263435.0000000000CE0000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1205489687.000000000094E000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1220928824.000000000094E000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1167901408.000000000094E000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1684983703.000000000094E000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1676599254.000000000094E000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1482871481.000000000094E000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1663418164.000000000094E000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1186910692.000000000094E000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000001.00000003.1695641462.000000000094E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: SensorDataService.exe, 00000013.00000003.1268427492.000000000047F000.00000004.00000020.00020000.00000000.sdmp, Spectrum.exe, 00000018.00000003.1286142601.0000000000673000.00000004.00000020.00020000.00000000.sdmp, Spectrum.exe, 00000018.00000003.1288270354.0000000000672000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @wgencounter.inf,%gencounter.devicedesc%;Microsoft Hyper-V Generation Counter
                Source: Spectrum.exe, 00000018.00000003.1286387994.0000000000685000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware Virtual disk SCSI Disk Devicer
                Source: SensorDataService.exe, 00000013.00000003.1268596489.000000000048E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ISCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
                Source: Spectrum.exe, 00000018.00000002.2416839258.000000000065B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @oem2.infloc.vmwarebusdevicedescVMware VMCI Bus Device7
                Source: Spectrum.exe, 00000018.00000003.1288270354.0000000000672000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ;;SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
                Source: Spectrum.exe, 00000018.00000002.2425624186.0000000000684000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: iSCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
                Source: JHafvhydouNovF.exe, 00000023.00000002.2445455154.0000000000649000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: SensorDataService.exe, 00000013.00000003.1268427492.000000000047F000.00000004.00000020.00020000.00000000.sdmp, Spectrum.exe, 00000018.00000003.1286142601.0000000000673000.00000004.00000020.00020000.00000000.sdmp, Spectrum.exe, 00000018.00000003.1288270354.0000000000672000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @wvid.inf,%vid.devicedesc%;Microsoft Hyper-V Virtualization Infrastructure Driver`
                Source: snmptrap.exe, 00000017.00000002.2406100676.0000000000516000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll==
                Source: ssh-agent.exe, 0000001A.00000002.2420887681.000000000048B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllss
                Source: Spectrum.exe, 00000018.00000003.1286387994.0000000000685000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware VMCI Bus Devicesdevicedesc%;VMware VMCI Bus Device~
                Source: Spectrum.exe, 00000018.00000003.1286387994.0000000000685000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: NECVMWar VMware SATA CD00\
                Source: Spectrum.exe, 00000018.00000003.1288270354.0000000000672000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: v@oem2.inf,%loc.vmwarebusdevicedesc%;VMware VMCI Bus Device
                Source: Spectrum.exe, 00000018.00000003.1288270354.0000000000672000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 4NECVMWar VMware SATA CD00
                Source: Spectrum.exe, 00000018.00000002.2425624186.0000000000684000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: hSCSI\Disk&Ven_VMware&Prod_Virtua
                Source: SensorDataService.exe, 00000013.00000003.1268799223.000000000047C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: V Generation Countersc%;Microsoft Hyper-V Generation Counter.dll,-2414
                Source: firefox.exe, 00000026.00000002.1659998498.00000245E136B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll4
                Source: SensorDataService.exe, 00000013.00000003.1367610128.0000000000497000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: NECVMWar VMware SATA CD00
                Source: SensorDataService.exe, 00000013.00000003.1268596489.000000000048E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware Virtual disk SCSI Disk Device
                Source: Spectrum.exe, 00000018.00000003.1286387994.0000000000685000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: hSCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
                Source: Spectrum.exe, 00000018.00000003.1288414057.0000000000693000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware Virtual disk SCSI Disk DeviceR
                Source: Spectrum.exe, 00000018.00000003.1288414057.0000000000693000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware VMCI Bus Devicesdevicedesc%;VMware VMCI Bus Device
                Source: SensorDataService.exe, 00000013.00000003.1268724601.000000000047B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft Hyper-V Generation Countersc%;Microsoft Hyper-V Generation Counter.dll,-2414
                Source: Spectrum.exe, 00000018.00000003.1288270354.0000000000682000.00000004.00000020.00020000.00000000.sdmp, Spectrum.exe, 00000018.00000003.1288360929.0000000000682000.00000004.00000020.00020000.00000000.sdmp, Spectrum.exe, 00000018.00000002.2425624186.0000000000684000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Drivertion Infrastructure DriverR
                Source: Spectrum.exe, 00000018.00000002.2425624186.0000000000684000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: NECVMWar VMware SATA CD00{298K&Z
                Source: Spectrum.exe, 00000018.00000003.1288270354.0000000000672000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: JVMware Virtual disk SCSI Disk Device
                Source: C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exeAPI call chain: ExitProcess graph end nodegraph_0-211068
                Source: C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exeAPI call chain: ExitProcess graph end nodegraph_0-210639
                Source: C:\Windows\SysWOW64\svchost.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\SysWOW64\mfpmp.exeProcess queried: DebugPort
                Source: C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exeCode function: 0_2_00473F09 BlockInput,0_2_00473F09
                Source: C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exeCode function: 0_2_00403B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00403B3A
                Source: C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exeCode function: 0_2_00435A7C EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,0_2_00435A7C
                Source: C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exeCode function: 0_2_00404B37 LoadLibraryA,GetProcAddress,0_2_00404B37
                Source: C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exeCode function: 0_2_0056EFF8 mov eax, dword ptr fs:[00000030h]0_2_0056EFF8
                Source: C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exeCode function: 0_2_00A91130 mov eax, dword ptr fs:[00000030h]0_2_00A91130
                Source: C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exeCode function: 0_2_00AD34CD mov eax, dword ptr fs:[00000030h]0_2_00AD34CD
                Source: C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exeCode function: 0_2_00BFB3C0 mov eax, dword ptr fs:[00000030h]0_2_00BFB3C0
                Source: C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exeCode function: 0_2_00BFB360 mov eax, dword ptr fs:[00000030h]0_2_00BFB360
                Source: C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exeCode function: 0_2_00BF9D30 mov eax, dword ptr fs:[00000030h]0_2_00BF9D30
                Source: C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exeCode function: 0_2_004580A9 GetTokenInformation,GetLastError,GetProcessHeap,HeapAlloc,GetTokenInformation,0_2_004580A9
                Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exeCode function: 0_2_0042A155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0042A155
                Source: C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exeCode function: 0_2_0042A124 SetUnhandledExceptionFilter,0_2_0042A124
                Source: C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exeCode function: 0_2_00AD420B SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00AD420B
                Source: C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exeCode function: 0_2_00AD08F1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00AD08F1

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Found direct / indirect Syscall (likely to bypass EDR)
                Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeNtOpenKeyEx: Indirect: 0x140077B9BJump to behavior
                Source: C:\Program Files (x86)\nLQOfBOrCOieKElqUulLbIwvUAfUlxrHQzbHjlZBUUQ\JHafvhydouNovF.exeNtCreateFile: Direct from: 0x77752FEC
                Source: C:\Program Files (x86)\nLQOfBOrCOieKElqUulLbIwvUAfUlxrHQzbHjlZBUUQ\JHafvhydouNovF.exeNtOpenFile: Direct from: 0x77752DCC
                Source: C:\Program Files (x86)\nLQOfBOrCOieKElqUulLbIwvUAfUlxrHQzbHjlZBUUQ\JHafvhydouNovF.exeNtSetInformationThread: Direct from: 0x77752ECC
                Source: C:\Program Files (x86)\nLQOfBOrCOieKElqUulLbIwvUAfUlxrHQzbHjlZBUUQ\JHafvhydouNovF.exeNtQueryInformationToken: Direct from: 0x77752CAC
                Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeNtQueryValueKey: Indirect: 0x140077C9FJump to behavior
                Source: C:\Program Files (x86)\nLQOfBOrCOieKElqUulLbIwvUAfUlxrHQzbHjlZBUUQ\JHafvhydouNovF.exeNtTerminateThread: Direct from: 0x77752FCC
                Source: C:\Program Files (x86)\nLQOfBOrCOieKElqUulLbIwvUAfUlxrHQzbHjlZBUUQ\JHafvhydouNovF.exeNtProtectVirtualMemory: Direct from: 0x77752F9C
                Source: C:\Program Files (x86)\nLQOfBOrCOieKElqUulLbIwvUAfUlxrHQzbHjlZBUUQ\JHafvhydouNovF.exeNtSetInformationProcess: Direct from: 0x77752C5C
                Source: C:\Program Files (x86)\nLQOfBOrCOieKElqUulLbIwvUAfUlxrHQzbHjlZBUUQ\JHafvhydouNovF.exeNtNotifyChangeKey: Direct from: 0x77753C2C
                Source: C:\Program Files (x86)\nLQOfBOrCOieKElqUulLbIwvUAfUlxrHQzbHjlZBUUQ\JHafvhydouNovF.exeNtOpenKeyEx: Direct from: 0x77752B9C
                Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeNtClose: Indirect: 0x140077E81
                Source: C:\Program Files (x86)\nLQOfBOrCOieKElqUulLbIwvUAfUlxrHQzbHjlZBUUQ\JHafvhydouNovF.exeNtOpenSection: Direct from: 0x77752E0C
                Source: C:\Program Files (x86)\nLQOfBOrCOieKElqUulLbIwvUAfUlxrHQzbHjlZBUUQ\JHafvhydouNovF.exeNtTerminateThread: Direct from: 0x77747B2EJump to behavior
                Source: C:\Program Files (x86)\nLQOfBOrCOieKElqUulLbIwvUAfUlxrHQzbHjlZBUUQ\JHafvhydouNovF.exeNtAllocateVirtualMemory: Direct from: 0x777548ECJump to behavior
                Source: C:\Program Files (x86)\nLQOfBOrCOieKElqUulLbIwvUAfUlxrHQzbHjlZBUUQ\JHafvhydouNovF.exeNtQueryVolumeInformationFile: Direct from: 0x77752F2CJump to behavior
                Source: C:\Program Files (x86)\nLQOfBOrCOieKElqUulLbIwvUAfUlxrHQzbHjlZBUUQ\JHafvhydouNovF.exeNtQuerySystemInformation: Direct from: 0x777548CC
                Source: C:\Program Files (x86)\nLQOfBOrCOieKElqUulLbIwvUAfUlxrHQzbHjlZBUUQ\JHafvhydouNovF.exeNtAllocateVirtualMemory: Direct from: 0x77752BEC
                Source: C:\Program Files (x86)\nLQOfBOrCOieKElqUulLbIwvUAfUlxrHQzbHjlZBUUQ\JHafvhydouNovF.exeNtDeviceIoControlFile: Direct from: 0x77752AEC
                Source: C:\Program Files (x86)\nLQOfBOrCOieKElqUulLbIwvUAfUlxrHQzbHjlZBUUQ\JHafvhydouNovF.exeNtCreateUserProcess: Direct from: 0x7775371CJump to behavior
                Source: C:\Program Files (x86)\nLQOfBOrCOieKElqUulLbIwvUAfUlxrHQzbHjlZBUUQ\JHafvhydouNovF.exeNtWriteVirtualMemory: Direct from: 0x7775490CJump to behavior
                Source: C:\Program Files (x86)\nLQOfBOrCOieKElqUulLbIwvUAfUlxrHQzbHjlZBUUQ\JHafvhydouNovF.exeNtQueryInformationProcess: Direct from: 0x77752C26
                Source: C:\Program Files (x86)\nLQOfBOrCOieKElqUulLbIwvUAfUlxrHQzbHjlZBUUQ\JHafvhydouNovF.exeNtResumeThread: Direct from: 0x77752FBCJump to behavior
                Source: C:\Program Files (x86)\nLQOfBOrCOieKElqUulLbIwvUAfUlxrHQzbHjlZBUUQ\JHafvhydouNovF.exeNtReadVirtualMemory: Direct from: 0x77752E8CJump to behavior
                Source: C:\Program Files (x86)\nLQOfBOrCOieKElqUulLbIwvUAfUlxrHQzbHjlZBUUQ\JHafvhydouNovF.exeNtCreateKey: Direct from: 0x77752C6C
                Source: C:\Program Files (x86)\nLQOfBOrCOieKElqUulLbIwvUAfUlxrHQzbHjlZBUUQ\JHafvhydouNovF.exeNtSetInformationThread: Direct from: 0x77752B4C
                Source: C:\Program Files (x86)\nLQOfBOrCOieKElqUulLbIwvUAfUlxrHQzbHjlZBUUQ\JHafvhydouNovF.exeNtQueryAttributesFile: Direct from: 0x77752E6C
                Source: C:\Program Files (x86)\nLQOfBOrCOieKElqUulLbIwvUAfUlxrHQzbHjlZBUUQ\JHafvhydouNovF.exeNtAllocateVirtualMemory: Direct from: 0x77753C9C
                Source: C:\Program Files (x86)\nLQOfBOrCOieKElqUulLbIwvUAfUlxrHQzbHjlZBUUQ\JHafvhydouNovF.exeNtClose: Direct from: 0x77752B6C
                Source: C:\Program Files (x86)\nLQOfBOrCOieKElqUulLbIwvUAfUlxrHQzbHjlZBUUQ\JHafvhydouNovF.exeNtCreateMutant: Direct from: 0x777535CC
                Source: C:\Program Files (x86)\nLQOfBOrCOieKElqUulLbIwvUAfUlxrHQzbHjlZBUUQ\JHafvhydouNovF.exeNtWriteVirtualMemory: Direct from: 0x77752E3CJump to behavior
                Source: C:\Program Files (x86)\nLQOfBOrCOieKElqUulLbIwvUAfUlxrHQzbHjlZBUUQ\JHafvhydouNovF.exeNtMapViewOfSection: Direct from: 0x77752D1C
                Source: C:\Program Files (x86)\nLQOfBOrCOieKElqUulLbIwvUAfUlxrHQzbHjlZBUUQ\JHafvhydouNovF.exeNtResumeThread: Direct from: 0x777536AC
                Source: C:\Program Files (x86)\nLQOfBOrCOieKElqUulLbIwvUAfUlxrHQzbHjlZBUUQ\JHafvhydouNovF.exeNtReadFile: Direct from: 0x77752ADCJump to behavior
                Source: C:\Program Files (x86)\nLQOfBOrCOieKElqUulLbIwvUAfUlxrHQzbHjlZBUUQ\JHafvhydouNovF.exeNtQuerySystemInformation: Direct from: 0x77752DFC
                Source: C:\Program Files (x86)\nLQOfBOrCOieKElqUulLbIwvUAfUlxrHQzbHjlZBUUQ\JHafvhydouNovF.exeNtDelayExecution: Direct from: 0x77752DDC
                Source: C:\Program Files (x86)\nLQOfBOrCOieKElqUulLbIwvUAfUlxrHQzbHjlZBUUQ\JHafvhydouNovF.exeNtAllocateVirtualMemory: Direct from: 0x77752BFC
                Maps a DLL or memory area into another process
                Source: C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Program Files (x86)\nLQOfBOrCOieKElqUulLbIwvUAfUlxrHQzbHjlZBUUQ\JHafvhydouNovF.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Windows\SysWOW64\mfpmp.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\mfpmp.exeSection loaded: NULL target: C:\Program Files (x86)\nLQOfBOrCOieKElqUulLbIwvUAfUlxrHQzbHjlZBUUQ\JHafvhydouNovF.exe protection: read write
                Source: C:\Windows\SysWOW64\mfpmp.exeSection loaded: NULL target: C:\Program Files (x86)\nLQOfBOrCOieKElqUulLbIwvUAfUlxrHQzbHjlZBUUQ\JHafvhydouNovF.exe protection: execute and read and write
                Source: C:\Windows\SysWOW64\mfpmp.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write
                Source: C:\Windows\SysWOW64\mfpmp.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write
                Modifies the context of a thread in another process (thread injection)
                Source: C:\Windows\SysWOW64\mfpmp.exeThread register set: target process: 8996
                Queues an APC in another process (thread injection)
                Source: C:\Windows\SysWOW64\mfpmp.exeThread APC queued: target process: C:\Program Files (x86)\nLQOfBOrCOieKElqUulLbIwvUAfUlxrHQzbHjlZBUUQ\JHafvhydouNovF.exe
                Writes to foreign memory regions
                Source: C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 2BE6008Jump to behavior
                Source: C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exeCode function: 0_2_004587B1 LogonUserW,0_2_004587B1
                Source: C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exeCode function: 0_2_00403B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00403B3A
                Source: C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exeCode function: 0_2_004048D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_004048D7
                Source: C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exeCode function: 0_2_00464C53 mouse_event,0_2_00464C53
                Source: C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exe"Jump to behavior
                Source: C:\Program Files (x86)\nLQOfBOrCOieKElqUulLbIwvUAfUlxrHQzbHjlZBUUQ\JHafvhydouNovF.exeProcess created: C:\Windows\SysWOW64\mfpmp.exe "C:\Windows\SysWOW64\mfpmp.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\mfpmp.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
                Source: C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exeCode function: 0_2_00457CAF GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_00457CAF
                Source: C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exeCode function: 0_2_0045874B AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_0045874B
                Source: Request for Quotation 2170032137 PDF.exeBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
                Source: JHafvhydouNovF.exe, 0000000D.00000000.1243969012.00000000015C0000.00000002.00000001.00040000.00000000.sdmp, JHafvhydouNovF.exe, 0000000D.00000002.2447946106.00000000015C0000.00000002.00000001.00040000.00000000.sdmp, JHafvhydouNovF.exe, 00000023.00000000.1403058767.0000000000CE0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: XProgram Manager
                Source: Request for Quotation 2170032137 PDF.exe, JHafvhydouNovF.exe, 0000000D.00000000.1243969012.00000000015C0000.00000002.00000001.00040000.00000000.sdmp, JHafvhydouNovF.exe, 0000000D.00000002.2447946106.00000000015C0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
                Source: JHafvhydouNovF.exe, 0000000D.00000000.1243969012.00000000015C0000.00000002.00000001.00040000.00000000.sdmp, JHafvhydouNovF.exe, 0000000D.00000002.2447946106.00000000015C0000.00000002.00000001.00040000.00000000.sdmp, JHafvhydouNovF.exe, 00000023.00000000.1403058767.0000000000CE0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
                Source: Acrobat.exe.1.drBinary or memory string: REINSTALLMODE=omus DISABLE_FIU_CHECK=1 IGNOREAAM=1 REPAIRFROMAPP=1 INSTALLUWPAPP=1 IS_COEX_REPAIR=1 /qn/qb REINSTALLMODE=omus DISABLE_FIU_CHECK=1 IGNOREAAM=1 REPAIRFROMAPP=1 BROADCASTCEFRELOAD=1 \/0\*cef_*/qn CLEANUP_CEFFOLDER=1 DISABLE_FIU_CHECK=1 /i msiexec.exe/i ADD_ALL_DICT=1 REINSTALL=AdobeCommonLinguistics SKIP_WEBRCS_REINSTALL=1 SKIP_CEF_KILL=1 /qn.msiexec.exe/i ADDLOCAL=OptionalFeatures,DistillerCJKNative,DistillerCJKSupport,PaperCaptureOptional,PreFlightPlugin DISABLE_FIU_CHECK=1 TRANSITION_INSTALL_MODE=4 SKIP_WEBRCS_REINSTALL=1 SKIP_CEF_KILL=1 /qn\msiexec.exeSoftware\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList\MRUListAcrobat.exeMRUListAppDoNotTakePDFOwnershipAtLaunch\\\AppDoNotTakePDFOwnershipAtLaunchWin10DisableOwnershipPrompt.pdf.pdfxml.acrobatsecuritysettings.fdf.xfdf.xdp.pdx.api.secstore.sequ.rmf.bpdxAdobe Acrobat XI ProRtlGetVersionntdll.dll\??\UNC\\\?\UNC\\Device\Mup\\Device\LanmanRedirector\\Device\WebDavRedirector\\Device\WinDfs\\Device\NetWareRedirector\\Device\nwrdr\RtlGetVersionntdll.dllAdobe Systems, IncorporatedAdobe Inc.Adobe Systems Incorporated1.3.6.1.4.1.311.2.1.121.3.6.1.4.1.311.2.1.121.3.6.1.4.1.311.2.1.121.2.840.113549.1.9.61.3.6.1.4.1.311.3.3.1kernel32IsWow64ProcessSystem\CurrentControlSet\Control\CitrixProductVersionNumSoftware\Adobe\Acrobat\ExeSoftware\Microsoft\Windows\CurrentVersion\Policies\SystemEnableLUA/RegisterFileTypesOwnership /PRODUCT:Acrobat /VERSION:12.0 /FixPDF 3305580Click on 'Change' to select default PDF handler.pdf Properties#32770Click on 'Change' to select default PDF handler Properties#32770/\Click on 'Change' to select default PDF handler#32770ADelRCP.exepropertiesClick on 'Change' to select default PDF handler.pdfShowAppPickerForPDF.exeProgram ManagerPROGMANApplicationClick on 'Change' to select default PDF handler.pdf Properties#32770Click on 'Change' to select default PDF handler Properties#3277012Click on 'Change' to select default PDF handler#32770Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\UserChoice.0Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\UserChoice\InstallerSoftware\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdfSOFTWARE\Adobe\Acrobat Reader\12{A6EADE66-0000-0000-484E-7E8A45000000}{AC76BA86-0000-0000-7761-7E8A45000000}SOFTWARE\Adobe\Adobe Acrobat\{AC76BA86-0000-0000-7760-7E8A45000000}SOFTWARE\Adobe\Adobe Acrobat\{AC76BA86-0000-0000-BA7E-7E8A45000000}SOFTWARE\Adobe\Adobe Acrobat\VersionMajorVersionMinorVersionStringInstalledProductNameAdobe AcrobatreaderSOFTWARE\Wow6432Node\Adobe\Acrobat Reader\.0SOFTWARE\Wow6432Node\Adobe\Adobe Acrobat\SOFTWARE\Adobe\Acrobat Reader\SOFTWARE\Adobe\Adobe Acrobat\PATHVersionMajorVersionMinor7760-BA7E-7AD7-VersionStringInstalledProductNameAdobe AcrobatreaderDCSOFTWARE\Wow6432Node\Adobe\Acrobat Reader\\InstallerSOFTWARE\Wow6432Node\Adobe\Adobe Acrobat\SOFTWARE\Adobe\Acrobat Reader\SOFTWARE\Adobe\Adobe Acrobat\ENU_GUIDPATHInstallLocationAcrobat.Document.DC.pdf{AC76BA86-0000-00
                Source: JHafvhydouNovF.exe, 0000000D.00000000.1243969012.00000000015C0000.00000002.00000001.00040000.00000000.sdmp, JHafvhydouNovF.exe, 0000000D.00000002.2447946106.00000000015C0000.00000002.00000001.00040000.00000000.sdmp, JHafvhydouNovF.exe, 00000023.00000000.1403058767.0000000000CE0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
                Source: C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exeCode function: 0_2_0042862B cpuid 0_2_0042862B
                Source: C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\System32\FXSSVC.exeQueries volume information: C:\ProgramData\Microsoft\Windows NT\MSFax\Queue\TST866C.tmp VolumeInformationJump to behavior
                Source: C:\Windows\System32\FXSSVC.exeQueries volume information: C:\ProgramData\Microsoft\Windows NT\MSFax\TST867C.tmp VolumeInformationJump to behavior
                Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\perfhost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\System32\Spectrum.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Windows\System32\OpenSSH\ssh-agent.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Windows\System32\TieringEngineService.exeKey value queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\TimeZoneInformation Bias
                Source: C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exeCode function: 0_2_00434E87 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00434E87
                Source: C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exeCode function: 0_2_00441E06 GetUserNameW,0_2_00441E06
                Source: C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exeCode function: 0_2_00433F3A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,0_2_00433F3A
                Source: C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exeCode function: 0_2_004049A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_004049A0

                Stealing of Sensitive Information

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000F.00000002.2452791922.0000000002DF0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1319122745.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000002.2453998718.0000000002E40000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1321465488.0000000003C00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000023.00000002.2467620602.00000000049F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000002.2405286920.0000000002820000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000D.00000002.2454038999.0000000002CB0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1319902942.0000000003360000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Windows\SysWOW64\mfpmp.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
                Source: C:\Windows\SysWOW64\mfpmp.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                Source: C:\Windows\SysWOW64\mfpmp.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
                Source: C:\Windows\SysWOW64\mfpmp.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\SysWOW64\mfpmp.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\SysWOW64\mfpmp.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
                Source: C:\Windows\SysWOW64\mfpmp.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
                Source: C:\Windows\SysWOW64\mfpmp.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
                Tries to steal Mail credentials (via file / registry access)
                Source: C:\Windows\SysWOW64\mfpmp.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\
                Source: Request for Quotation 2170032137 PDF.exeBinary or memory string: WIN_81
                Source: Request for Quotation 2170032137 PDF.exeBinary or memory string: WIN_XP
                Source: Request for Quotation 2170032137 PDF.exeBinary or memory string: WIN_XPe
                Source: Request for Quotation 2170032137 PDF.exeBinary or memory string: WIN_VISTA
                Source: Request for Quotation 2170032137 PDF.exeBinary or memory string: WIN_7
                Source: Request for Quotation 2170032137 PDF.exeBinary or memory string: WIN_8
                Source: Request for Quotation 2170032137 PDF.exeBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

                Remote Access Functionality

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000F.00000002.2452791922.0000000002DF0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1319122745.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000002.2453998718.0000000002E40000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1321465488.0000000003C00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000023.00000002.2467620602.00000000049F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000002.2405286920.0000000002820000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000D.00000002.2454038999.0000000002CB0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1319902942.0000000003360000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exeCode function: 0_2_00476283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,0_2_00476283
                Source: C:\Users\user\Desktop\Request for Quotation 2170032137 PDF.exeCode function: 0_2_00476747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_00476747

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire Infrastructure2
                Valid Accounts                		3
                Native API                		1
                LSASS Driver                		1
                Exploitation for Privilege Escalation                		1
                Disable or Modify Tools                		1
                OS Credential Dumping                		12
                System Time Discovery                		1
                Taint Shared Content                		1
                Archive Collected Data                		4
                Ingress Tool Transfer                		Exfiltration Over Other Network Medium1
                System Shutdown/Reboot
                CredentialsDomainsDefault AccountsScheduled Task/Job1
                DLL Side-Loading                		1
                Abuse Elevation Control Mechanism                		1
                Deobfuscate/Decode Files or Information                		21
                Input Capture                		1
                Account Discovery                		Remote Desktop Protocol1
                Data from Local System                		1
                Encrypted Channel                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAt2
                Valid Accounts                		1
                LSASS Driver                		1
                Abuse Elevation Control Mechanism                		Security Account Manager3
                File and Directory Discovery                		SMB/Windows Admin Shares1
                Email Collection                		4
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
                DLL Side-Loading                		3
                Obfuscated Files or Information                		NTDS126
                System Information Discovery                		Distributed Component Object Model21
                Input Capture                		4
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script2
                Valid Accounts                		1
                Software Packing                		LSA Secrets141
                Security Software Discovery                		SSH3
                Clipboard Data                		Fallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts21
                Access Token Manipulation                		1
                Timestomp                		Cached Domain Credentials2
                Virtualization/Sandbox Evasion                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup Items412
                Process Injection                		1
                DLL Side-Loading                		DCSync3
                Process Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                File Deletion                		Proc Filesystem11
                Application Window Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt222
                Masquerading                		/etc/passwd and /etc/shadow1
                System Owner/User Discovery                		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron2
                Valid Accounts                		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd2
                Virtualization/Sandbox Evasion                		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption
                Gather Victim Org InformationDNS ServerCompromise Software Supply ChainWindows Command ShellScheduled TaskScheduled Task21
                Access Token Manipulation                		KeyloggingProcess DiscoveryTaint Shared ContentScreen CaptureDNSExfiltration Over Physical MediumResource Hijacking
                Determine Physical LocationsVirtual Private ServerCompromise Hardware Supply ChainUnix ShellSystemd TimersSystemd Timers412
                Process Injection                		GUI Input CapturePermission Groups DiscoveryReplication Through Removable MediaEmail CollectionProxyExfiltration over USBNetwork Denial of Service

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1642618 Sample: Request for Quotation 21700... Startdate: 19/03/2025 Architecture: WINDOWS Score: 100 50 www.stakemask.xyz 2->50 52 www.publicblockchain.xyz 2->52 54 105 other IPs or domains 2->54 70 Suricata IDS alerts for network traffic 2->70 72 Antivirus detection for URL or domain 2->72 74 Antivirus detection for dropped file 2->74 78 9 other signatures 2->78 10 armsvc.exe 1 2->10         started        15 Request for Quotation 2170032137 PDF.exe 3 2->15         started        17 elevation_service.exe 2->17         started        19 15 other processes 2->19 signatures3 76 Performs DNS queries to domains with low reputation 52->76 process4 dnsIp5 56 dlynankz.biz 85.214.228.140, 49784, 80 STRATOSTRATOAGDE Germany 10->56 58 gjogvvpsf.biz 208.117.43.225, 49748, 49758, 49816 STEADFASTUS United States 10->58 64 17 other IPs or domains 10->64 36 C:\Windows\System32\wbengine.exe, PE32+ 10->36 dropped 38 C:\Windows\System32\wbem\WmiApSrv.exe, PE32+ 10->38 dropped 40 C:\Windows\System32\vds.exe, PE32+ 10->40 dropped 48 130 other malicious files 10->48 dropped 92 Drops executable to a common third party application directory 10->92 94 Infects executable files (exe, dll, sys, html) 10->94 60 acwjcqqv.biz 13.213.51.196, 49711, 49713, 49721 AMAZON-02US United States 15->60 62 ywffr.biz 52.11.240.239, 49710, 49712, 49714 AMAZON-02US United States 15->62 42 C:\Windows\System32\alg.exe, PE32+ 15->42 dropped 44 C:\Windows\System32\AppVClient.exe, PE32+ 15->44 dropped 46 C:\Program Files (x86)\...\armsvc.exe, PE32 15->46 dropped 96 Binary is likely a compiled AutoIt script file 15->96 98 Writes to foreign memory regions 15->98 100 Maps a DLL or memory area into another process 15->100 21 svchost.exe 15->21         started        102 Found direct / indirect Syscall (likely to bypass EDR) 17->102 104 Creates files inside the volume driver (system volume information) 19->104 file6 signatures7 process8 signatures9 80 Maps a DLL or memory area into another process 21->80 24 JHafvhydouNovF.exe 21->24 injected process10 signatures11 82 Found direct / indirect Syscall (likely to bypass EDR) 24->82 27 mfpmp.exe 24->27         started        process12 signatures13 84 Tries to steal Mail credentials (via file / registry access) 27->84 86 Tries to harvest and steal browser information (history, passwords, etc) 27->86 88 Modifies the context of a thread in another process (thread injection) 27->88 90 3 other signatures 27->90 30 JHafvhydouNovF.exe 27->30 injected 34 firefox.exe 27->34         started        process14 dnsIp15 66 www.dresses-executive.sbs 199.59.243.160, 49770, 49773, 49776 BODIS-NJUS United States 30->66 68 www.dappbtc.xyz 13.248.169.48, 49737, 49754, 49757 AMAZON-02US United States 30->68 106 Found direct / indirect Syscall (likely to bypass EDR) 30->106 signatures16

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.