Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
PA.bin.exe

Overview

General Information

Sample name:PA.bin.exe
Analysis ID:1663629
MD5:58dbf2df74dd9b5f7538c649b494f9c4
SHA1:09dcc6cf400f31446b2f0f15751d470fc44526d3
SHA256:a6d4406683626aa86a4b4cca84ea4e3b9c744803f3ff396b916f4562fe8336f0
Tags:exeuser-aachum
Infos:

Detection

Score:56
Range:0 - 100
Confidence:100%

Signatures

Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Drops certificate files (DER)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE / OLE file has an invalid certificate
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Direct Autorun Keys Modification
Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry

Classification

Process Tree

  • System is w10x64
  • PA.bin.exe (PID: 7604 cmdline: "C:\Users\user\Desktop\PA.bin.exe" MD5: 58DBF2DF74DD9B5F7538C649B494F9C4)
    • cmd.exe (PID: 7304 cmdline: cmd /c "reg add HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce /v afcdpsrv /t REG_SZ /d C:\ProgramData\afcdpsrv.exe /f" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 7308 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • reg.exe (PID: 7404 cmdline: reg add HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce /v afcdpsrv /t REG_SZ /d C:\ProgramData\afcdpsrv.exe /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C)
  • afcdpsrv.exe (PID: 508 cmdline: "C:\ProgramData\afcdpsrv.exe" MD5: 58DBF2DF74DD9B5F7538C649B494F9C4)
  • afcdpsrv.exe (PID: 2064 cmdline: "C:\ProgramData\afcdpsrv.exe" MD5: 58DBF2DF74DD9B5F7538C649B494F9C4)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

Sigma detected: CurrentVersion Autorun Keys Modification
Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\ProgramData\afcdpsrv.exe, EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\reg.exe, ProcessId: 7404, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\afcdpsrv
Sigma detected: Direct Autorun Keys Modification
Source: Process startedAuthor: Victor Sergeev, Daniil Yugoslavskiy, oscd.community: Data: Command: reg add HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce /v afcdpsrv /t REG_SZ /d C:\ProgramData\afcdpsrv.exe /f, CommandLine: reg add HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce /v afcdpsrv /t REG_SZ /d C:\ProgramData\afcdpsrv.exe /f, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\reg.exe, NewProcessName: C:\Windows\SysWOW64\reg.exe, OriginalFileName: C:\Windows\SysWOW64\reg.exe, ParentCommandLine: cmd /c "reg add HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce /v afcdpsrv /t REG_SZ /d C:\ProgramData\afcdpsrv.exe /f", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7304, ParentProcessName: cmd.exe, ProcessCommandLine: reg add HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce /v afcdpsrv /t REG_SZ /d C:\ProgramData\afcdpsrv.exe /f, ProcessId: 7404, ProcessName: reg.exe
Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: cmd /c "reg add HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce /v afcdpsrv /t REG_SZ /d C:\ProgramData\afcdpsrv.exe /f", CommandLine: cmd /c "reg add HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce /v afcdpsrv /t REG_SZ /d C:\ProgramData\afcdpsrv.exe /f", CommandLine|base64offset|contains: rg, Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\PA.bin.exe", ParentImage: C:\Users\user\Desktop\PA.bin.exe, ParentProcessId: 7604, ParentProcessName: PA.bin.exe, ProcessCommandLine: cmd /c "reg add HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce /v afcdpsrv /t REG_SZ /d C:\ProgramData\afcdpsrv.exe /f", ProcessId: 7304, ProcessName: cmd.exe

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for dropped file
Source: C:\ProgramData\afcdpsrv.exeReversingLabs: Detection: 45%
Multi AV Scanner detection for submitted file
Source: PA.bin.exeReversingLabs: Detection: 45%
Source: PA.bin.exeVirustotal: Detection: 38%Perma Link
Source: PA.bin.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
Source: Binary string: e.pDB.fu(nc13 source: PA.bin.exe, 00000000.00000002.3113895670.0000000003038000.00000004.00000020.00020000.00000000.sdmp, afcdpsrv.exe, 0000000B.00000003.1653949115.00000000030C1000.00000004.00000020.00020000.00000000.sdmp, afcdpsrv.exe, 0000000C.00000003.1739621905.0000000003269000.00000004.00000020.00020000.00000000.sdmp
Source: C:\Users\user\Desktop\PA.bin.exeCode function: 0_2_00403648 FindFirstFileW,0_2_00403648
Source: C:\Users\user\Desktop\PA.bin.exeCode function: 0_2_00408C37 DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_00408C37
Source: C:\Users\user\Desktop\PA.bin.exeCode function: 0_2_00408B4B FindFirstFileW,FindClose,0_2_00408B4B
Source: C:\ProgramData\afcdpsrv.exeCode function: 12_2_00403648 FindFirstFileW,12_2_00403648
Source: C:\ProgramData\afcdpsrv.exeCode function: 12_2_00408C37 DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,12_2_00408C37
Source: C:\ProgramData\afcdpsrv.exeCode function: 12_2_00408B4B FindFirstFileW,FindClose,12_2_00408B4B
Source: C:\Users\user\Desktop\PA.bin.exeCode function: 4x nop then mov dword ptr [esp+0Ch], eax0_2_038F2EB0
Source: C:\ProgramData\afcdpsrv.exeCode function: 4x nop then mov dword ptr [esp+0Ch], eax11_3_03992EB0
Source: C:\ProgramData\afcdpsrv.exeCode function: 4x nop then mov dword ptr [esp+0Ch], eax12_3_03B32EB0
Source: global trafficTCP traffic: 192.168.2.4:49723 -> 15.197.198.189:8545
Source: global trafficTCP traffic: 192.168.2.4:49726 -> 62.60.234.80:1466
Source: Joe Sandbox ViewIP Address: 62.60.234.80 62.60.234.80
Source: Joe Sandbox ViewIP Address: 15.197.198.189 15.197.198.189
Source: unknownTCP traffic detected without corresponding DNS query: 62.60.234.80
Source: unknownTCP traffic detected without corresponding DNS query: 62.60.234.80
Source: unknownTCP traffic detected without corresponding DNS query: 62.60.234.80
Source: unknownTCP traffic detected without corresponding DNS query: 62.60.234.80
Source: unknownTCP traffic detected without corresponding DNS query: 62.60.234.80
Source: unknownTCP traffic detected without corresponding DNS query: 62.60.234.80
Source: unknownTCP traffic detected without corresponding DNS query: 62.60.234.80
Source: unknownTCP traffic detected without corresponding DNS query: 62.60.234.80
Source: unknownTCP traffic detected without corresponding DNS query: 62.60.234.80
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficHTTP traffic detected: GET /x.cer HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Microsoft-CryptoAPI/10.0Host: x.ss2.us
Source: global trafficDNS traffic detected: DNS query: data-seed-prebsc-1-s1.binance.org
Source: global trafficDNS traffic detected: DNS query: x.ss2.us
Source: PA.bin.exe, 00000000.00000003.1451633507.0000000025A82000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ac.economia.gob.mx/cps.html0
Source: PA.bin.exe, 00000000.00000003.1451633507.0000000025A82000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ac.economia.gob.mx/last.crl0G
Source: PA.bin.exe, 00000000.00000003.1452042367.00000000001FA000.00000004.00000020.00020000.00000000.sdmp, PA.bin.exe, 00000000.00000003.1451737449.00000000001EA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://acedicom.edicomgroup.com/doc0
Source: PA.bin.exe, 00000000.00000003.1451775582.0000000025A5C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://acraiz.icpbrasil.gov.br/DPCacraiz.pdf0
Source: PA.bin.exe, 00000000.00000003.1451858276.00000000001B6000.00000004.00000020.00020000.00000000.sdmp, PA.bin.exe, 00000000.00000003.1451737449.00000000001D4000.00000004.00000020.00020000.00000000.sdmp, PA.bin.exe, 00000000.00000003.1451676207.0000000025A65000.00000004.00000020.00020000.00000000.sdmp, PA.bin.exe, 00000000.00000003.1451822076.00000000001E0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://acraiz.icpbrasil.gov.br/DPCacraiz.pdf0?
Source: PA.bin.exe, 00000000.00000003.1451737449.00000000001D4000.00000004.00000020.00020000.00000000.sdmp, PA.bin.exe, 00000000.00000003.1451822076.00000000001E0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://acraiz.icpbrasil.gov.br/LCRacraizv1.crl0
Source: PA.bin.exe, 00000000.00000003.1451775582.0000000025A5C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://acraiz.icpbrasil.gov.br/LCRacraizv10.crl0
Source: PA.bin.exe, 00000000.00000003.1451858276.00000000001B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://acraiz.icpbrasil.gov.br/LCRacraizv2.crl0
Source: PA.bin.exe, 00000000.00000003.1451676207.0000000025A65000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://acraiz.icpbrasil.gov.br/LCRacraizv5.crl0
Source: PA.bin.exe, 00000000.00000003.1451676207.0000000025A8C000.00000004.00000020.00020000.00000000.sdmp, PA.bin.exe, 00000000.00000002.3122143864.0000000025A8C000.00000004.00000020.00020000.00000000.sdmp, PA.bin.exe, 00000000.00000003.1451633507.0000000025A8C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ca.disig.sk/ca/crl/ca_disig.crl0
Source: PA.bin.exe, 00000000.00000003.1451775582.0000000025A5C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ca.mtin.es/mtin/DPCyPoliticas0
Source: PA.bin.exe, 00000000.00000003.1451775582.0000000025A5C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ca.mtin.es/mtin/DPCyPoliticas0g
Source: PA.bin.exe, 00000000.00000003.1451775582.0000000025A5C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ca.mtin.es/mtin/crl/MTINAutoridadRaiz03
Source: PA.bin.exe, 00000000.00000003.1451775582.0000000025A5C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ca.mtin.es/mtin/ocsp0
Source: PA.bin.exe, 00000000.00000003.1451775582.0000000025A5C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ca2.mtin.es/mtin/crl/MTINAutoridadRaiz0
Source: PA.bin.exe, afcdpsrv.exe.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: PA.bin.exe, afcdpsrv.exe.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0K
Source: PA.bin.exe, afcdpsrv.exe.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: PA.bin.exe, afcdpsrv.exe.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: PA.bin.exe, afcdpsrv.exe.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: PA.bin.exe, 00000000.00000003.1451676207.0000000025A65000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://certificates.starfieldtech.com/repository/1604
Source: PA.bin.exe, 00000000.00000003.2050099775.0000000000173000.00000004.00000020.00020000.00000000.sdmp, PA.bin.exe, 00000000.00000002.3112075529.0000000000173000.00000004.00000020.00020000.00000000.sdmp, 070E0202839D9D67350CD2613E78E416.0.drString found in binary or memory: http://certificates.starfieldtech.com/repository/root.crl0Q
Source: PA.bin.exe, 00000000.00000003.2050099775.0000000000173000.00000004.00000020.00020000.00000000.sdmp, PA.bin.exe, 00000000.00000002.3112075529.0000000000173000.00000004.00000020.00020000.00000000.sdmp, 070E0202839D9D67350CD2613E78E416.0.drString found in binary or memory: http://certificates.starfieldtech.com/repository0
Source: PA.bin.exe, 00000000.00000003.1451676207.0000000025A65000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://certs.oati.net/repository/OATICA2.crl0
Source: PA.bin.exe, 00000000.00000003.1451676207.0000000025A65000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://certs.oati.net/repository/OATICA2.crt0
Source: PA.bin.exe, 00000000.00000003.1451676207.0000000025A65000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://certs.oaticerts.com/repository/OATICA2.crl
Source: PA.bin.exe, 00000000.00000003.1451676207.0000000025A65000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://certs.oaticerts.com/repository/OATICA2.crt08
Source: PA.bin.exe, 00000000.00000003.1451633507.0000000025A82000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cps.chambersign.org/cps/chambersignroot.html0
Source: PA.bin.exe, 00000000.00000003.2050054125.0000000025A48000.00000004.00000020.00020000.00000000.sdmp, PA.bin.exe, 00000000.00000002.3122076112.0000000025A48000.00000004.00000020.00020000.00000000.sdmp, PA.bin.exe, 00000000.00000003.1452056622.0000000025A45000.00000004.00000020.00020000.00000000.sdmp, PA.bin.exe, 00000000.00000003.1452023401.0000000025A3F000.00000004.00000020.00020000.00000000.sdmp, PA.bin.exe, 00000000.00000003.1451999047.0000000025A33000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cps.chambersign.org/cps/chambersroot.html0
Source: PA.bin.exe, 00000000.00000003.1451676207.0000000025A65000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cps.siths.se/sithsrootcav1.html0
Source: PA.bin.exe, 00000000.00000003.1451633507.0000000025A82000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.certigna.fr/certignarootca.crl01
Source: PA.bin.exe, 00000000.00000003.1451633507.0000000025A82000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.chambersign.org/chambersignroot.crl0
Source: PA.bin.exe, 00000000.00000003.2050054125.0000000025A48000.00000004.00000020.00020000.00000000.sdmp, PA.bin.exe, 00000000.00000002.3122076112.0000000025A48000.00000004.00000020.00020000.00000000.sdmp, PA.bin.exe, 00000000.00000003.1452056622.0000000025A45000.00000004.00000020.00020000.00000000.sdmp, PA.bin.exe, 00000000.00000003.1452023401.0000000025A3F000.00000004.00000020.00020000.00000000.sdmp, PA.bin.exe, 00000000.00000003.1451999047.0000000025A33000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.chambersign.org/chambersroot.crl0
Source: PA.bin.exe, 00000000.00000003.1451999047.0000000025A33000.00000004.00000020.00020000.00000000.sdmp, PA.bin.exe, 00000000.00000003.1452073566.0000000025A3B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: PA.bin.exe, 00000000.00000003.1451858276.00000000001B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.defence.gov.au/pki0
Source: PA.bin.exe, 00000000.00000003.1451633507.0000000025A82000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.dhimyotis.com/certignarootca.crl0
Source: PA.bin.exe, 00000000.00000002.3112663016.00000000001DD000.00000004.00000020.00020000.00000000.sdmp, PA.bin.exe, 00000000.00000003.1451737449.00000000001D4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: PA.bin.exe, 00000000.00000003.1451676207.0000000025A65000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.oces.trust2408.com/oces.crl0
Source: PA.bin.exe, 00000000.00000003.1451858276.00000000001B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.postsignum.cz/crl/psrootqca4.crl02
Source: PA.bin.exe, 00000000.00000003.1451858276.00000000001B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.postsignum.eu/crl/psrootqca4.crl0
Source: PA.bin.exe, 00000000.00000002.3115107407.000000000440E000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.r2m02.amazontrust.com/r2m02.crl
Source: PA.bin.exe, 00000000.00000002.3117720281.00000000045AA000.00000004.00001000.00020000.00000000.sdmp, PA.bin.exe, 00000000.00000002.3119147165.000000000633A000.00000004.00001000.00020000.00000000.sdmp, PA.bin.exe, 00000000.00000002.3112075529.000000000010E000.00000004.00000020.00020000.00000000.sdmp, PA.bin.exe, 00000000.00000002.3117720281.0000000004596000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.r2m02.amazontrust.com/r2m02.crl0u
Source: PA.bin.exe, 00000000.00000002.3115107407.000000000440E000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.r2m02.amazontrust.com/r2m02.crlThe
Source: PA.bin.exe, 00000000.00000002.3115107407.000000000440E000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl
Source: PA.bin.exe, 00000000.00000002.3117720281.00000000045AA000.00000004.00001000.00020000.00000000.sdmp, PA.bin.exe, 00000000.00000002.3115107407.0000000004458000.00000004.00001000.00020000.00000000.sdmp, PA.bin.exe, 00000000.00000002.3112075529.000000000010E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: PA.bin.exe, 00000000.00000002.3115107407.000000000440E000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.rootg2.amazontrust.com/rootg2.crl
Source: PA.bin.exe, 00000000.00000002.3117720281.00000000045AA000.00000004.00001000.00020000.00000000.sdmp, PA.bin.exe, 00000000.00000002.3112075529.000000000010E000.00000004.00000020.00020000.00000000.sdmp, PA.bin.exe, 00000000.00000002.3117720281.000000000458C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.rootg2.amazontrust.com/rootg2.crl0
Source: PA.bin.exe, 00000000.00000003.1451676207.0000000025A65000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.securetrust.com/SGCA.crl0
Source: PA.bin.exe, 00000000.00000003.1451893543.00000000001D0000.00000004.00000020.00020000.00000000.sdmp, PA.bin.exe, 00000000.00000003.1451805772.00000000001C9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.securetrust.com/STCA.crl0
Source: PA.bin.exe, 00000000.00000003.1451676207.0000000025A65000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.ssc.lt/root-a/cacrl.crl0
Source: PA.bin.exe, 00000000.00000003.1451676207.0000000025A65000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.ssc.lt/root-b/cacrl.crl0
Source: PA.bin.exe, 00000000.00000003.1451616116.0000000025A8F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.ssc.lt/root-c/cacrl.crl0
Source: PA.bin.exe, 00000000.00000003.1451925571.00000000001AB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl0
Source: PA.bin.exe, 00000000.00000003.1451858276.00000000001B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl1.comsign.co.il/crl/comsignglobalrootca.crl0
Source: PA.bin.exe, 00000000.00000003.1451858276.00000000001B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl2.postsignum.cz/crl/psrootqca4.crl01
Source: PA.bin.exe, afcdpsrv.exe.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: PA.bin.exe, afcdpsrv.exe.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: PA.bin.exe, afcdpsrv.exe.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: PA.bin.exe, afcdpsrv.exe.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: afcdpsrv.exe.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: PA.bin.exe, afcdpsrv.exe.0.drString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0=
Source: PA.bin.exe, 00000000.00000002.3115107407.000000000440E000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crt.r2m02.amazontrust.com/r2m02.cer
Source: PA.bin.exe, 00000000.00000002.3117720281.00000000045AA000.00000004.00001000.00020000.00000000.sdmp, PA.bin.exe, 00000000.00000002.3119147165.000000000633A000.00000004.00001000.00020000.00000000.sdmp, PA.bin.exe, 00000000.00000002.3112075529.000000000010E000.00000004.00000020.00020000.00000000.sdmp, PA.bin.exe, 00000000.00000002.3117720281.0000000004596000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crt.r2m02.amazontrust.com/r2m02.cer0
Source: PA.bin.exe, 00000000.00000002.3115107407.000000000440E000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer
Source: PA.bin.exe, 00000000.00000002.3117720281.00000000045AA000.00000004.00001000.00020000.00000000.sdmp, PA.bin.exe, 00000000.00000002.3115107407.0000000004458000.00000004.00001000.00020000.00000000.sdmp, PA.bin.exe, 00000000.00000002.3112075529.000000000010E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: PA.bin.exe, 00000000.00000002.3115107407.000000000440E000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cerhttp://crl.rootca1.amazontrust.com/rootca1.crl
Source: PA.bin.exe, 00000000.00000002.3115107407.000000000440E000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crt.rootg2.amazontrust.com/rootg2.cer
Source: PA.bin.exe, 00000000.00000002.3117720281.00000000045AA000.00000004.00001000.00020000.00000000.sdmp, PA.bin.exe, 00000000.00000002.3112075529.000000000010E000.00000004.00000020.00020000.00000000.sdmp, PA.bin.exe, 00000000.00000002.3117720281.000000000458C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crt.rootg2.amazontrust.com/rootg2.cer0=
Source: PA.bin.exe, 00000000.00000002.3115107407.000000000440E000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crt.rootg2.amazontrust.com/rootg2.cerhttp://crl.rootg2.amazontrust.com/rootg2.crlThe
Source: PA.bin.exe, 00000000.00000003.2050099775.0000000000173000.00000004.00000020.00020000.00000000.sdmp, PA.bin.exe, 00000000.00000002.3112075529.0000000000173000.00000004.00000020.00020000.00000000.sdmp, PA.bin.exe, 00000000.00000003.2050099775.0000000000185000.00000004.00000020.00020000.00000000.sdmp, PA.bin.exe, 00000000.00000003.1450736380.0000000000185000.00000004.00000020.00020000.00000000.sdmp, PA.bin.exe, 00000000.00000002.3112075529.0000000000185000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.0.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: PA.bin.exe, 00000000.00000003.2050099775.0000000000185000.00000004.00000020.00020000.00000000.sdmp, PA.bin.exe, 00000000.00000003.1450736380.0000000000185000.00000004.00000020.00020000.00000000.sdmp, PA.bin.exe, 00000000.00000002.3112075529.0000000000185000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/enw
Source: PA.bin.exe, 00000000.00000003.1451737449.00000000001D4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://fedir.comsign.co.il/cacert/ComSignAdvancedSecurityCA.crt0
Source: PA.bin.exe, 00000000.00000003.1451737449.00000000001D4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://fedir.comsign.co.il/crl/ComSignAdvancedSecurityCA.crl0
Source: PA.bin.exe, 00000000.00000003.1452042367.00000000001FA000.00000004.00000020.00020000.00000000.sdmp, PA.bin.exe, 00000000.00000003.1451737449.00000000001EA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://fedir.comsign.co.il/crl/ComSignCA.crl0
Source: PA.bin.exe, 00000000.00000002.3122434114.0000000026360000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://fedir.comsign.co.il/crl/ComSignSecuredCA.crl0
Source: PA.bin.exe, 00000000.00000003.1451858276.00000000001B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://fedir.comsign.co.il/crl/comsignglobalrootca.crl0;
Source: PA.bin.exe, 00000000.00000003.1451805772.00000000001C9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://http.fpki.gov/fcpca/caCertsIssuedByfcpca.p7c0
Source: PA.bin.exe, afcdpsrv.exe.0.drString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: PA.bin.exe, 00000000.00000002.3115107407.0000000004408000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://o.ss2.us/
Source: PA.bin.exe, 00000000.00000002.3117720281.00000000045AA000.00000004.00001000.00020000.00000000.sdmp, PA.bin.exe, 00000000.00000002.3115107407.0000000004458000.00000004.00001000.00020000.00000000.sdmp, PA.bin.exe, 00000000.00000002.3112075529.000000000010E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://o.ss2.us/0
Source: PA.bin.exe, 00000000.00000003.1451858276.00000000001B6000.00000004.00000020.00020000.00000000.sdmp, PA.bin.exe, 00000000.00000003.1451893543.00000000001C7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.accv.es0
Source: PA.bin.exe, afcdpsrv.exe.0.drString found in binary or memory: http://ocsp.digicert.com0
Source: PA.bin.exe, afcdpsrv.exe.0.drString found in binary or memory: http://ocsp.digicert.com0A
Source: PA.bin.exe, afcdpsrv.exe.0.drString found in binary or memory: http://ocsp.digicert.com0C
Source: PA.bin.exe, afcdpsrv.exe.0.drString found in binary or memory: http://ocsp.digicert.com0I
Source: PA.bin.exe, afcdpsrv.exe.0.drString found in binary or memory: http://ocsp.digicert.com0X
Source: PA.bin.exe, 00000000.00000002.3112625170.00000000001D2000.00000004.00000020.00020000.00000000.sdmp, PA.bin.exe, 00000000.00000003.1451893543.00000000001D0000.00000004.00000020.00020000.00000000.sdmp, PA.bin.exe, 00000000.00000003.1451805772.00000000001C9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.ncdc.gov.sa0
Source: PA.bin.exe, 00000000.00000003.1451858276.00000000001B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.pki.gva.es0
Source: PA.bin.exe, 00000000.00000002.3115107407.000000000440E000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.r2m02.amazontrust.com
Source: PA.bin.exe, 00000000.00000002.3117720281.00000000045AA000.00000004.00001000.00020000.00000000.sdmp, PA.bin.exe, 00000000.00000002.3119147165.000000000633A000.00000004.00001000.00020000.00000000.sdmp, PA.bin.exe, 00000000.00000002.3112075529.000000000010E000.00000004.00000020.00020000.00000000.sdmp, PA.bin.exe, 00000000.00000002.3117720281.0000000004596000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.r2m02.amazontrust.com06
Source: PA.bin.exe, 00000000.00000002.3115107407.000000000440E000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.r2m02.amazontrust.comThe
Source: PA.bin.exe, 00000000.00000002.3115107407.000000000440E000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.rootca1.amazontrust.com
Source: PA.bin.exe, 00000000.00000002.3117720281.00000000045AA000.00000004.00001000.00020000.00000000.sdmp, PA.bin.exe, 00000000.00000002.3115107407.0000000004458000.00000004.00001000.00020000.00000000.sdmp, PA.bin.exe, 00000000.00000002.3112075529.000000000010E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: PA.bin.exe, 00000000.00000002.3115107407.000000000440E000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.rootca1.amazontrust.comThe
Source: PA.bin.exe, 00000000.00000002.3115107407.000000000440E000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.rootg2.amazontrust.com
Source: PA.bin.exe, 00000000.00000002.3117720281.00000000045AA000.00000004.00001000.00020000.00000000.sdmp, PA.bin.exe, 00000000.00000002.3112075529.000000000010E000.00000004.00000020.00020000.00000000.sdmp, PA.bin.exe, 00000000.00000002.3117720281.000000000458C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.rootg2.amazontrust.com08
Source: PA.bin.exe, 00000000.00000002.3115107407.000000000440E000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.rootg2.amazontrust.comThe
Source: PA.bin.exe, 00000000.00000003.2050099775.0000000000173000.00000004.00000020.00020000.00000000.sdmp, PA.bin.exe, 00000000.00000002.3112075529.0000000000173000.00000004.00000020.00020000.00000000.sdmp, 070E0202839D9D67350CD2613E78E416.0.drString found in binary or memory: http://ocsp.starfieldtech.com0J
Source: PA.bin.exe, 00000000.00000003.1451676207.0000000025A65000.00000004.00000020.00020000.00000000.sdmp, PA.bin.exe, 00000000.00000003.1451999047.0000000025A33000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.suscerte.gob.ve0
Source: PA.bin.exe, 00000000.00000003.1452218999.00000000001F6000.00000004.00000020.00020000.00000000.sdmp, PA.bin.exe, 00000000.00000003.1451737449.00000000001EA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://pki.digidentity.eu/validatie0
Source: PA.bin.exe, 00000000.00000003.1451616116.0000000025A8F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://pki.registradores.org/normativa/index.htm0
Source: PA.bin.exe, 00000000.00000003.1451737449.00000000001D4000.00000004.00000020.00020000.00000000.sdmp, PA.bin.exe, 00000000.00000003.1451676207.0000000025A65000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://policy.camerfirma.com0
Source: PA.bin.exe, 00000000.00000003.1451858276.00000000001B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://postsignum.ttc.cz/crl/psrootqca2.crl0
Source: PA.bin.exe, 00000000.00000003.1451858276.00000000001B6000.00000004.00000020.00020000.00000000.sdmp, PA.bin.exe, 00000000.00000003.1451676207.0000000025A65000.00000004.00000020.00020000.00000000.sdmp, PA.bin.exe, 00000000.00000003.1451999047.0000000025A33000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://repository.swisssign.com/0
Source: PA.bin.exe, 00000000.00000002.3115107407.000000000440E000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://s.ss2.us/r.crl
Source: PA.bin.exe, 00000000.00000002.3117720281.00000000045AA000.00000004.00001000.00020000.00000000.sdmp, PA.bin.exe, 00000000.00000002.3115107407.0000000004458000.00000004.00001000.00020000.00000000.sdmp, PA.bin.exe, 00000000.00000002.3112075529.000000000010E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://s.ss2.us/r.crl0
Source: PA.bin.exe, 00000000.00000003.1451999047.0000000025A33000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://sertifikati.ca.posta.rs/crl/PostaCARoot.crl0
Source: PA.bin.exe, 00000000.00000003.1451858276.00000000001B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://trustcenter-crl.certificat2.com/Keynectis/KEYNECTIS_ROOT_CA.crl0
Source: PA.bin.exe, 00000000.00000002.3112625170.00000000001D2000.00000004.00000020.00020000.00000000.sdmp, PA.bin.exe, 00000000.00000003.1451893543.00000000001D0000.00000004.00000020.00020000.00000000.sdmp, PA.bin.exe, 00000000.00000003.1451805772.00000000001C9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://web.ncdc.gov.sa/crl/nrcacomb1.crl0
Source: PA.bin.exe, 00000000.00000002.3112625170.00000000001D2000.00000004.00000020.00020000.00000000.sdmp, PA.bin.exe, 00000000.00000003.1451893543.00000000001D0000.00000004.00000020.00020000.00000000.sdmp, PA.bin.exe, 00000000.00000003.1451805772.00000000001C9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://web.ncdc.gov.sa/crl/nrcaparta1.crl
Source: PA.bin.exe, 00000000.00000003.1451737449.00000000001D4000.00000004.00000020.00020000.00000000.sdmp, PA.bin.exe, 00000000.00000003.1451999047.0000000025A33000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.acabogacia.org/doc0
Source: PA.bin.exe, 00000000.00000003.1451737449.00000000001D4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.acabogacia.org0
Source: PA.bin.exe, 00000000.00000003.1451858276.00000000001B6000.00000004.00000020.00020000.00000000.sdmp, PA.bin.exe, 00000000.00000003.1451893543.00000000001C7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1.crt0
Source: PA.bin.exe, 00000000.00000003.1451858276.00000000001B6000.00000004.00000020.00020000.00000000.sdmp, PA.bin.exe, 00000000.00000003.1451893543.00000000001C7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1_der.crl0
Source: PA.bin.exe, 00000000.00000003.1451858276.00000000001B6000.00000004.00000020.00020000.00000000.sdmp, PA.bin.exe, 00000000.00000003.1451893543.00000000001C7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.accv.es/legislacion_c.htm0U
Source: PA.bin.exe, 00000000.00000003.1451858276.00000000001B6000.00000004.00000020.00020000.00000000.sdmp, PA.bin.exe, 00000000.00000003.1451893543.00000000001C7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.accv.es00
Source: PA.bin.exe, 00000000.00000003.1451737449.00000000001D4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.agesic.gub.uy/acrn/acrn.crl0)
Source: PA.bin.exe, 00000000.00000003.1451737449.00000000001D4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.agesic.gub.uy/acrn/cps_acrn.pdf0
Source: PA.bin.exe, 00000000.00000003.1451999047.0000000025A33000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.ancert.com/cps0
Source: PA.bin.exe, 00000000.00000003.1451676207.0000000025A65000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.anf.es
Source: PA.bin.exe, 00000000.00000003.1452023401.0000000025A3F000.00000004.00000020.00020000.00000000.sdmp, PA.bin.exe, 00000000.00000003.1451999047.0000000025A33000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.anf.es/AC/RC/ocsp0c
Source: PA.bin.exe, 00000000.00000003.1451676207.0000000025A65000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.anf.es/es/address-direccion.html
Source: PA.bin.exe, 00000000.00000003.1451999047.0000000025A33000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.ca.posta.rs/dokumentacija0h
Source: PA.bin.exe, 00000000.00000003.1451925571.00000000001AB000.00000004.00000020.00020000.00000000.sdmp, PA.bin.exe, 00000000.00000003.1452218999.00000000001F6000.00000004.00000020.00020000.00000000.sdmp, PA.bin.exe, 00000000.00000003.1451737449.00000000001EA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.cert.fnmt.es/dpcs/0
Source: PA.bin.exe, 00000000.00000003.1452023401.0000000025A3F000.00000004.00000020.00020000.00000000.sdmp, PA.bin.exe, 00000000.00000003.1451999047.0000000025A33000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.certicamara.com/dpc/0Z
Source: PA.bin.exe, 00000000.00000003.1451775582.0000000025A5C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.certplus.com/CRL/class1.crl0
Source: PA.bin.exe, 00000000.00000003.1451737449.00000000001D4000.00000004.00000020.00020000.00000000.sdmp, PA.bin.exe, 00000000.00000003.1451822076.00000000001E0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.certplus.com/CRL/class2.crl0
Source: PA.bin.exe, 00000000.00000002.3122027911.0000000025A39000.00000004.00000020.00020000.00000000.sdmp, PA.bin.exe, 00000000.00000003.1451999047.0000000025A33000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.certplus.com/CRL/class3.crl0
Source: PA.bin.exe, 00000000.00000003.1451616116.0000000025A8F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.certplus.com/CRL/class3P.crl0
Source: PA.bin.exe, 00000000.00000003.1451572839.0000000025AD9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.certplus.com/CRL/class3TS.crl0
Source: PA.bin.exe, 00000000.00000003.2050054125.0000000025A48000.00000004.00000020.00020000.00000000.sdmp, PA.bin.exe, 00000000.00000003.1451633507.0000000025A82000.00000004.00000020.00020000.00000000.sdmp, PA.bin.exe, 00000000.00000002.3122076112.0000000025A48000.00000004.00000020.00020000.00000000.sdmp, PA.bin.exe, 00000000.00000003.1452056622.0000000025A45000.00000004.00000020.00020000.00000000.sdmp, PA.bin.exe, 00000000.00000003.1452023401.0000000025A3F000.00000004.00000020.00020000.00000000.sdmp, PA.bin.exe, 00000000.00000003.1451999047.0000000025A33000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.chambersign.org1
Source: PA.bin.exe, 00000000.00000003.1451737449.00000000001D4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.comsign.co.il/cps0
Source: PA.bin.exe, 00000000.00000003.1451737449.00000000001EA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.correo.com.uy/correocert/cps.pdf0
Source: PA.bin.exe, 00000000.00000003.1451676207.0000000025A65000.00000004.00000020.00020000.00000000.sdmp, PA.bin.exe, 00000000.00000003.1451999047.0000000025A33000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.datev.de/zertifikat-policy-bt0
Source: PA.bin.exe, 00000000.00000003.1451858276.00000000001B6000.00000004.00000020.00020000.00000000.sdmp, PA.bin.exe, 00000000.00000003.1451893543.00000000001C7000.00000004.00000020.00020000.00000000.sdmp, PA.bin.exe, 00000000.00000003.1451805772.00000000001C9000.00000004.00000020.00020000.00000000.sdmp, PA.bin.exe, 00000000.00000003.1451676207.0000000025A65000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.datev.de/zertifikat-policy-int0
Source: PA.bin.exe, 00000000.00000003.1451858276.00000000001B6000.00000004.00000020.00020000.00000000.sdmp, PA.bin.exe, 00000000.00000003.1451616116.0000000025A8F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.datev.de/zertifikat-policy-std0
Source: PA.bin.exe, 00000000.00000003.1451893543.00000000001D0000.00000004.00000020.00020000.00000000.sdmp, PA.bin.exe, 00000000.00000003.1451805772.00000000001C9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.defence.gov.au/pki0
Source: PA.bin.exe, afcdpsrv.exe.0.drString found in binary or memory: http://www.digicert.com/CPS0
Source: PA.bin.exe, 00000000.00000003.1451676207.0000000025A8C000.00000004.00000020.00020000.00000000.sdmp, PA.bin.exe, 00000000.00000002.3122143864.0000000025A8C000.00000004.00000020.00020000.00000000.sdmp, PA.bin.exe, 00000000.00000003.1451633507.0000000025A8C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.disig.sk/ca/crl/ca_disig.crl0
Source: PA.bin.exe, 00000000.00000003.1451676207.0000000025A8C000.00000004.00000020.00020000.00000000.sdmp, PA.bin.exe, 00000000.00000002.3122143864.0000000025A8C000.00000004.00000020.00020000.00000000.sdmp, PA.bin.exe, 00000000.00000003.1451633507.0000000025A8C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.disig.sk/ca0f
Source: PA.bin.exe, 00000000.00000003.1451925571.00000000001AB000.00000004.00000020.00020000.00000000.sdmp, PA.bin.exe, 00000000.00000002.3112075529.00000000001B1000.00000004.00000020.00020000.00000000.sdmp, PA.bin.exe, 00000000.00000003.1451957215.00000000001B1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.dnie.es/dpc0
Source: PA.bin.exe, 00000000.00000003.1451661703.0000000025A9D000.00000004.00000020.00020000.00000000.sdmp, PA.bin.exe, 00000000.00000003.1451616116.0000000025A8F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.e-me.lv/repository0
Source: PA.bin.exe, 00000000.00000003.1451616116.0000000025A8F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.e-szigno.hu/RootCA.crl
Source: PA.bin.exe, 00000000.00000003.1451616116.0000000025A8F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.e-szigno.hu/RootCA.crt0
Source: PA.bin.exe, 00000000.00000003.1451616116.0000000025A8F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.e-szigno.hu/SZSZ/0
Source: PA.bin.exe, 00000000.00000003.1451661703.0000000025A9D000.00000004.00000020.00020000.00000000.sdmp, PA.bin.exe, 00000000.00000003.1451858276.00000000001B6000.00000004.00000020.00020000.00000000.sdmp, PA.bin.exe, 00000000.00000003.1451616116.0000000025A8F000.00000004.00000020.00020000.00000000.sdmp, PA.bin.exe, 00000000.00000003.1451737449.00000000001D4000.00000004.00000020.00020000.00000000.sdmp, PA.bin.exe, 00000000.00000003.1451822076.00000000001E0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.e-trust.be/CPS/QNcerts
Source: PA.bin.exe, 00000000.00000003.1451676207.0000000025A65000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.ecee.gov.pt/dpc0
Source: PA.bin.exe, 00000000.00000003.1452023401.0000000025A3F000.00000004.00000020.00020000.00000000.sdmp, PA.bin.exe, 00000000.00000003.1451999047.0000000025A33000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.echoworx.com/ca/root2/cps.pdf0
Source: PA.bin.exe, 00000000.00000003.1452056622.0000000025A45000.00000004.00000020.00020000.00000000.sdmp, PA.bin.exe, 00000000.00000003.1452023401.0000000025A3F000.00000004.00000020.00020000.00000000.sdmp, PA.bin.exe, 00000000.00000003.1451999047.0000000025A33000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.eme.lv/repository0
Source: PA.bin.exe, 00000000.00000003.1451858276.00000000001B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.firmaprofesional.com/cps0
Source: PA.bin.exe, 00000000.00000003.1451633507.0000000025A82000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.globaltrust.info0
Source: PA.bin.exe, 00000000.00000003.1451633507.0000000025A82000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.globaltrust.info0=
Source: PA.bin.exe, 00000000.00000003.1451676207.0000000025A65000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.ica.co.il/repository/cps/PersonalID_Practice_Statement.pdf0
Source: PA.bin.exe, 00000000.00000003.1451616116.0000000025A8F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.informatik.admin.ch/PKI/links/CPS_2_16_756_1_17_3_1_0.pdf0
Source: PA.bin.exe, 00000000.00000003.1451676207.0000000025A65000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.oaticerts.com/repository.
Source: PA.bin.exe, 00000000.00000003.1451858276.00000000001B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.pki.admin.ch/cps/CPS_2_16_756_1_17_3_1_0.pdf09
Source: PA.bin.exe, 00000000.00000003.1452056622.0000000025A45000.00000004.00000020.00020000.00000000.sdmp, PA.bin.exe, 00000000.00000003.1452023401.0000000025A3F000.00000004.00000020.00020000.00000000.sdmp, PA.bin.exe, 00000000.00000003.1451999047.0000000025A33000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.pki.admin.ch/cps/CPS_2_16_756_1_17_3_21_1.pdf0:
Source: PA.bin.exe, 00000000.00000003.1451775582.0000000025A5C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.pki.admin.ch/policy/CPS_2_16_756_1_17_3_21_1.pdf0
Source: PA.bin.exe, 00000000.00000003.1451858276.00000000001B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.pki.gva.es/cps0
Source: PA.bin.exe, 00000000.00000003.1451858276.00000000001B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.pki.gva.es/cps0%
Source: PA.bin.exe, 00000000.00000003.1451676207.0000000025A65000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.pkioverheid.nl/policies/root-policy-G20
Source: PA.bin.exe, 00000000.00000003.1451661703.0000000025A9D000.00000004.00000020.00020000.00000000.sdmp, PA.bin.exe, 00000000.00000003.1451616116.0000000025A8F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.pkioverheid.nl/policies/root-policy0
Source: PA.bin.exe, 00000000.00000003.1451858276.00000000001B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.postsignum.cz/crl/psrootqca2.crl02
Source: PA.bin.exe, 00000000.00000003.1452042367.00000000001FA000.00000004.00000020.00020000.00000000.sdmp, PA.bin.exe, 00000000.00000003.1451737449.00000000001EA000.00000004.00000020.00020000.00000000.sdmp, PA.bin.exe, 00000000.00000003.1452218999.00000000001FD000.00000004.00000020.00020000.00000000.sdmp, PA.bin.exe, 00000000.00000003.2049903466.00000000001FD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.quovadis.bm0
Source: PA.bin.exe, 00000000.00000003.1451616116.0000000025A8F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.quovadisglobal.com/cps0
Source: PA.bin.exe, 00000000.00000003.1451858276.00000000001B6000.00000004.00000020.00020000.00000000.sdmp, PA.bin.exe, 00000000.00000002.3112586719.00000000001C4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.rcsc.lt/repository0
Source: PA.bin.exe, 00000000.00000003.1451676207.0000000025A65000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.sk.ee/cps/0
Source: PA.bin.exe, 00000000.00000003.1451676207.0000000025A65000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.sk.ee/juur/crl/0
Source: PA.bin.exe, 00000000.00000003.1451616116.0000000025A8F000.00000004.00000020.00020000.00000000.sdmp, PA.bin.exe, 00000000.00000003.1451676207.0000000025A65000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.ssc.lt/cps03
Source: PA.bin.exe, 00000000.00000003.1451676207.0000000025A65000.00000004.00000020.00020000.00000000.sdmp, PA.bin.exe, 00000000.00000003.1451999047.0000000025A33000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.suscerte.gob.ve/dpc0
Source: PA.bin.exe, 00000000.00000003.1451676207.0000000025A65000.00000004.00000020.00020000.00000000.sdmp, PA.bin.exe, 00000000.00000003.1451999047.0000000025A33000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.suscerte.gob.ve/lcr0#
Source: PA.bin.exe, 00000000.00000003.1451737449.00000000001D4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.trustcenter.de/crl/v2/tc_class_3_ca_II.crl
Source: PA.bin.exe, 00000000.00000003.1451737449.00000000001D4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.uce.gub.uy/acrn/acrn.crl0
Source: PA.bin.exe, 00000000.00000003.1451737449.00000000001D4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.uce.gub.uy/informacion-tecnica/politicas/cp_acrn.pdf0G
Source: PA.bin.exe, 00000000.00000003.2050099775.0000000000173000.00000004.00000020.00020000.00000000.sdmp, PA.bin.exe, 00000000.00000002.3112075529.0000000000173000.00000004.00000020.00020000.00000000.sdmp, PA.bin.exe, 00000000.00000002.3112075529.000000000016D000.00000004.00000020.00020000.00000000.sdmp, PA.bin.exe, 00000000.00000003.2050099775.000000000016C000.00000004.00000020.00020000.00000000.sdmp, 070E0202839D9D67350CD2613E78E416.0.drString found in binary or memory: http://www.valicert.com/1
Source: PA.bin.exe, 00000000.00000003.1451858276.00000000001B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www2.postsignum.cz/crl/psrootqca2.crl01
Source: PA.bin.exe, 00000000.00000002.3112075529.000000000010E000.00000004.00000020.00020000.00000000.sdmp, PA.bin.exe, 00000000.00000002.3115107407.000000000440E000.00000004.00001000.00020000.00000000.sdmp, 070E0202839D9D67350CD2613E78E4160.0.drString found in binary or memory: http://x.ss2.us/x.cer
Source: PA.bin.exe, 00000000.00000002.3117720281.00000000045AA000.00000004.00001000.00020000.00000000.sdmp, PA.bin.exe, 00000000.00000002.3115107407.0000000004458000.00000004.00001000.00020000.00000000.sdmp, PA.bin.exe, 00000000.00000002.3112075529.000000000010E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://x.ss2.us/x.cer0&
Source: PA.bin.exe, 00000000.00000002.3115107407.000000000440E000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://x.ss2.us/x.cerhttp://s.ss2.us/r.crl
Source: PA.bin.exe, 00000000.00000003.1452023401.0000000025A3F000.00000004.00000020.00020000.00000000.sdmp, PA.bin.exe, 00000000.00000003.1451999047.0000000025A33000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://crl.anf.es/AC/ANFServerCA.crl0
Source: PA.bin.exe, 00000000.00000002.3114550015.0000000003BB2000.00000002.00001000.00020000.00000000.sdmp, PA.bin.exe, 00000000.00000002.3114082675.0000000003363000.00000004.00000020.00020000.00000000.sdmp, afcdpsrv.exe, 0000000B.00000003.1651809468.0000000003C52000.00000002.00001000.00020000.00000000.sdmp, afcdpsrv.exe, 0000000B.00000003.1654153769.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, afcdpsrv.exe, 0000000C.00000003.1739941609.000000000359D000.00000004.00000020.00020000.00000000.sdmp, afcdpsrv.exe, 0000000C.00000003.1737302649.0000000003DF2000.00000002.00001000.00020000.00000000.sdmpString found in binary or memory: https://data-seed-prebsc-1-s1.binance.org:8545/RtlDosPathNameToRelativeNtPathName_U_WithStatushttp:
Source: PA.bin.exe, 00000000.00000003.1452042367.00000000001FA000.00000004.00000020.00020000.00000000.sdmp, PA.bin.exe, 00000000.00000003.1451737449.00000000001EA000.00000004.00000020.00020000.00000000.sdmp, PA.bin.exe, 00000000.00000003.1452218999.00000000001FD000.00000004.00000020.00020000.00000000.sdmp, PA.bin.exe, 00000000.00000003.2049903466.00000000001FD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ocsp.quovadisoffshore.com0
Source: PA.bin.exe, 00000000.00000003.1451616116.0000000025A8F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rca.e-szigno.hu/ocsp0-
Source: PA.bin.exe, 00000000.00000003.1451616116.0000000025A8F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://repository.luxtrust.lu0
Source: PA.bin.exe, 00000000.00000003.1451633507.0000000025A82000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://repository.tsp.zetes.com0
Source: PA.bin.exe, 00000000.00000003.1451676207.0000000025A65000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://web.certicamara.com/marco-legal0Z
Source: PA.bin.exe, 00000000.00000003.1452023401.0000000025A3F000.00000004.00000020.00020000.00000000.sdmp, PA.bin.exe, 00000000.00000003.1451999047.0000000025A33000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.anf.es/AC/ACTAS/789230
Source: PA.bin.exe, 00000000.00000003.1452023401.0000000025A3F000.00000004.00000020.00020000.00000000.sdmp, PA.bin.exe, 00000000.00000003.1451999047.0000000025A33000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.anf.es/AC/ANFServerCA.crl0
Source: PA.bin.exe, 00000000.00000003.1452023401.0000000025A3F000.00000004.00000020.00020000.00000000.sdmp, PA.bin.exe, 00000000.00000003.1451999047.0000000025A33000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.anf.es/address/)1(0&
Source: PA.bin.exe, 00000000.00000003.1451676207.0000000025A8C000.00000004.00000020.00020000.00000000.sdmp, PA.bin.exe, 00000000.00000003.1451616116.0000000025A8F000.00000004.00000020.00020000.00000000.sdmp, PA.bin.exe, 00000000.00000002.3122143864.0000000025A8C000.00000004.00000020.00020000.00000000.sdmp, PA.bin.exe, 00000000.00000003.1451633507.0000000025A8C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.catcert.net/verarrel
Source: PA.bin.exe, 00000000.00000003.1451616116.0000000025A8F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.catcert.net/verarrel05
Source: PA.bin.exe, 00000000.00000003.1451572839.0000000025AA6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.netlock.hu/docs/
Source: PA.bin.exe, 00000000.00000003.1451858276.00000000001B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.netlock.net/docs
Source: PA.bin.exe, 00000000.00000003.1451633507.0000000025A82000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://wwww.certigna.fr/autorites/0m
Source: C:\Users\user\Desktop\PA.bin.exeCode function: 0_2_004075EC GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_004075EC
Source: C:\Users\user\Desktop\PA.bin.exeFile created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\070E0202839D9D67350CD2613E78E416Jump to dropped file
Source: C:\Users\user\Desktop\PA.bin.exeCode function: 0_2_00FF0CD8 NtAllocateVirtualMemory,0_2_00FF0CD8
Source: C:\Users\user\Desktop\PA.bin.exeCode function: 0_2_00FF066E NtProtectVirtualMemory,0_2_00FF066E
Source: C:\Users\user\Desktop\PA.bin.exeCode function: 0_2_00FF11E5 CreateThread,malloc,NtClose,free,0_2_00FF11E5
Source: C:\Users\user\Desktop\PA.bin.exeCode function: 0_2_00FF0B72 NtGetContextThread,NtSetContextThread,NtResumeThread,0_2_00FF0B72
Source: C:\Users\user\Desktop\PA.bin.exeCode function: 0_2_00FF10E8 NtClose,0_2_00FF10E8
Source: C:\Users\user\Desktop\PA.bin.exeCode function: 0_2_00FF1084 NtClose,0_2_00FF1084
Source: C:\Users\user\Desktop\PA.bin.exeCode function: 0_2_00FF19C5 free,NtClose,free,0_2_00FF19C5
Source: C:\Users\user\Desktop\PA.bin.exeCode function: 0_2_00FF114C NtClose,0_2_00FF114C
Source: C:\Users\user\Desktop\PA.bin.exeCode function: 0_2_02802000 NtProtectVirtualMemory,0_2_02802000
Source: C:\Users\user\Desktop\PA.bin.exeCode function: 0_2_02801FC2 NtFreeVirtualMemory,0_2_02801FC2
Source: C:\Users\user\Desktop\PA.bin.exeCode function: 0_2_02801F6F NtAllocateVirtualMemory,0_2_02801F6F
Source: C:\ProgramData\afcdpsrv.exeCode function: 11_3_00B01084 NtSuspendThread,11_3_00B01084
Source: C:\ProgramData\afcdpsrv.exeCode function: 11_3_00B010E8 NtTerminateThread,11_3_00B010E8
Source: C:\ProgramData\afcdpsrv.exeCode function: 11_3_00B00CD8 NtAllocateVirtualMemory,NtFreeVirtualMemory,11_3_00B00CD8
Source: C:\ProgramData\afcdpsrv.exeCode function: 11_3_00B0114C NtClose,11_3_00B0114C
Source: C:\ProgramData\afcdpsrv.exeCode function: 11_3_00B0066E NtProtectVirtualMemory,11_3_00B0066E
Source: C:\ProgramData\afcdpsrv.exeCode function: 11_3_00B00B72 NtGetContextThread,NtSetContextThread,NtResumeThread,11_3_00B00B72
Source: C:\ProgramData\afcdpsrv.exeCode function: 11_2_02992000 NtProtectVirtualMemory,11_2_02992000
Source: C:\ProgramData\afcdpsrv.exeCode function: 11_2_02991FC2 NtFreeVirtualMemory,11_2_02991FC2
Source: C:\ProgramData\afcdpsrv.exeCode function: 11_2_02991F6F NtAllocateVirtualMemory,11_2_02991F6F
Source: C:\ProgramData\afcdpsrv.exeCode function: 12_3_001D1084 NtSuspendThread,12_3_001D1084
Source: C:\ProgramData\afcdpsrv.exeCode function: 12_3_001D0CD8 NtAllocateVirtualMemory,NtFreeVirtualMemory,12_3_001D0CD8
Source: C:\ProgramData\afcdpsrv.exeCode function: 12_3_001D10E8 NtTerminateThread,12_3_001D10E8
Source: C:\ProgramData\afcdpsrv.exeCode function: 12_3_001D114C NtClose,12_3_001D114C
Source: C:\ProgramData\afcdpsrv.exeCode function: 12_3_001D066E NtProtectVirtualMemory,12_3_001D066E
Source: C:\ProgramData\afcdpsrv.exeCode function: 12_3_001D0B72 NtGetContextThread,NtSetContextThread,NtResumeThread,12_3_001D0B72
Source: C:\ProgramData\afcdpsrv.exeCode function: 12_2_02B32000 NtProtectVirtualMemory,12_2_02B32000
Source: C:\ProgramData\afcdpsrv.exeCode function: 12_2_02B31FC2 NtFreeVirtualMemory,12_2_02B31FC2
Source: C:\ProgramData\afcdpsrv.exeCode function: 12_2_02B31F6F NtAllocateVirtualMemory,12_2_02B31F6F
Source: C:\Users\user\Desktop\PA.bin.exeCode function: 0_2_00405A230_2_00405A23
Source: C:\Users\user\Desktop\PA.bin.exeCode function: 0_2_004045900_2_00404590
Source: C:\Users\user\Desktop\PA.bin.exeCode function: 0_2_00404E540_2_00404E54
Source: C:\Users\user\Desktop\PA.bin.exeCode function: 0_2_00409A390_2_00409A39
Source: C:\Users\user\Desktop\PA.bin.exeCode function: 0_2_00404EC20_2_00404EC2
Source: C:\Users\user\Desktop\PA.bin.exeCode function: 0_2_00409AC70_2_00409AC7
Source: C:\Users\user\Desktop\PA.bin.exeCode function: 0_2_00406AC80_2_00406AC8
Source: C:\Users\user\Desktop\PA.bin.exeCode function: 0_2_004050BE0_2_004050BE
Source: C:\Users\user\Desktop\PA.bin.exeCode function: 0_2_004098BE0_2_004098BE
Source: C:\Users\user\Desktop\PA.bin.exeCode function: 0_2_004051590_2_00405159
Source: C:\Users\user\Desktop\PA.bin.exeCode function: 0_2_00409B130_2_00409B13
Source: C:\Users\user\Desktop\PA.bin.exeCode function: 0_2_0040511E0_2_0040511E
Source: C:\Users\user\Desktop\PA.bin.exeCode function: 0_2_004091360_2_00409136
Source: C:\Users\user\Desktop\PA.bin.exeCode function: 0_2_00404DD20_2_00404DD2
Source: C:\Users\user\Desktop\PA.bin.exeCode function: 0_2_004075EC0_2_004075EC
Source: C:\Users\user\Desktop\PA.bin.exeCode function: 0_2_028000000_2_02800000
Source: C:\Users\user\Desktop\PA.bin.exeCode function: 0_2_038FBBF00_2_038FBBF0
Source: C:\Users\user\Desktop\PA.bin.exeCode function: 0_2_0391BEA00_2_0391BEA0
Source: C:\Users\user\Desktop\PA.bin.exeCode function: 0_2_038F2EB00_2_038F2EB0
Source: C:\Users\user\Desktop\PA.bin.exeCode function: 0_2_0391C6E00_2_0391C6E0
Source: C:\Users\user\Desktop\PA.bin.exeCode function: 0_2_039012100_2_03901210
Source: C:\Users\user\Desktop\PA.bin.exeCode function: 0_2_0395C2300_2_0395C230
Source: C:\Users\user\Desktop\PA.bin.exeCode function: 0_2_0391B9200_2_0391B920
Source: C:\Users\user\Desktop\PA.bin.exeCode function: 0_2_038F8D400_2_038F8D40
Source: C:\Users\user\Desktop\PA.bin.exeCode function: 0_2_0391E5700_2_0391E570
Source: C:\Users\user\Desktop\PA.bin.exeCode function: 0_2_03916D700_2_03916D70
Source: C:\Users\user\Desktop\PA.bin.exeCode function: 0_2_039000800_2_03900080
Source: C:\ProgramData\afcdpsrv.exeCode function: 11_3_0399BBF011_3_0399BBF0
Source: C:\ProgramData\afcdpsrv.exeCode function: 11_3_03992EB011_3_03992EB0
Source: C:\ProgramData\afcdpsrv.exeCode function: 11_3_039BBEA011_3_039BBEA0
Source: C:\ProgramData\afcdpsrv.exeCode function: 11_3_039BC6E011_3_039BC6E0
Source: C:\ProgramData\afcdpsrv.exeCode function: 11_3_039A121011_3_039A1210
Source: C:\ProgramData\afcdpsrv.exeCode function: 11_3_039FC23011_3_039FC230
Source: C:\ProgramData\afcdpsrv.exeCode function: 11_3_039BB92011_3_039BB920
Source: C:\ProgramData\afcdpsrv.exeCode function: 11_3_03998D4011_3_03998D40
Source: C:\ProgramData\afcdpsrv.exeCode function: 11_3_039BE57011_3_039BE570
Source: C:\ProgramData\afcdpsrv.exeCode function: 11_3_039B6D7011_3_039B6D70
Source: C:\ProgramData\afcdpsrv.exeCode function: 11_3_039A008011_3_039A0080
Source: C:\ProgramData\afcdpsrv.exeCode function: 11_2_0299000011_2_02990000
Source: C:\ProgramData\afcdpsrv.exeCode function: 12_3_03B3BBF012_3_03B3BBF0
Source: C:\ProgramData\afcdpsrv.exeCode function: 12_3_03B32EB012_3_03B32EB0
Source: C:\ProgramData\afcdpsrv.exeCode function: 12_3_03B5BEA012_3_03B5BEA0
Source: C:\ProgramData\afcdpsrv.exeCode function: 12_3_03B5C6E012_3_03B5C6E0
Source: C:\ProgramData\afcdpsrv.exeCode function: 12_3_03B9C23012_3_03B9C230
Source: C:\ProgramData\afcdpsrv.exeCode function: 12_3_03B4121012_3_03B41210
Source: C:\ProgramData\afcdpsrv.exeCode function: 12_3_03B5B92012_3_03B5B920
Source: C:\ProgramData\afcdpsrv.exeCode function: 12_3_03B5E57012_3_03B5E570
Source: C:\ProgramData\afcdpsrv.exeCode function: 12_3_03B56D7012_3_03B56D70
Source: C:\ProgramData\afcdpsrv.exeCode function: 12_3_03B38D4012_3_03B38D40
Source: C:\ProgramData\afcdpsrv.exeCode function: 12_3_03B4008012_3_03B40080
Source: C:\ProgramData\afcdpsrv.exeCode function: 12_2_00405A2312_2_00405A23
Source: C:\ProgramData\afcdpsrv.exeCode function: 12_2_0040459012_2_00404590
Source: C:\ProgramData\afcdpsrv.exeCode function: 12_2_00404E5412_2_00404E54
Source: C:\ProgramData\afcdpsrv.exeCode function: 12_2_00409A3912_2_00409A39
Source: C:\ProgramData\afcdpsrv.exeCode function: 12_2_00404EC212_2_00404EC2
Source: C:\ProgramData\afcdpsrv.exeCode function: 12_2_00409AC712_2_00409AC7
Source: C:\ProgramData\afcdpsrv.exeCode function: 12_2_00406AC812_2_00406AC8
Source: C:\ProgramData\afcdpsrv.exeCode function: 12_2_004050BE12_2_004050BE
Source: C:\ProgramData\afcdpsrv.exeCode function: 12_2_004098BE12_2_004098BE
Source: C:\ProgramData\afcdpsrv.exeCode function: 12_2_0040515912_2_00405159
Source: C:\ProgramData\afcdpsrv.exeCode function: 12_2_00409B1312_2_00409B13
Source: C:\ProgramData\afcdpsrv.exeCode function: 12_2_0040511E12_2_0040511E
Source: C:\ProgramData\afcdpsrv.exeCode function: 12_2_0040913612_2_00409136
Source: C:\ProgramData\afcdpsrv.exeCode function: 12_2_00404DD212_2_00404DD2
Source: C:\ProgramData\afcdpsrv.exeCode function: 12_2_004075EC12_2_004075EC
Source: C:\ProgramData\afcdpsrv.exeCode function: 12_2_02B3000012_2_02B30000
Source: Joe Sandbox ViewDropped File: C:\ProgramData\afcdpsrv.exe A6D4406683626AA86A4B4CCA84EA4E3B9C744803F3FF396B916F4562FE8336F0
Source: C:\Users\user\Desktop\PA.bin.exeCode function: String function: 0395B9D0 appears 141 times
Source: C:\Users\user\Desktop\PA.bin.exeCode function: String function: 03928A80 appears 109 times
Source: C:\ProgramData\afcdpsrv.exeCode function: String function: 039FB9D0 appears 141 times
Source: C:\ProgramData\afcdpsrv.exeCode function: String function: 039C8A80 appears 109 times
Source: C:\ProgramData\afcdpsrv.exeCode function: String function: 03B9B9D0 appears 141 times
Source: C:\ProgramData\afcdpsrv.exeCode function: String function: 03B68A80 appears 109 times
Source: PA.bin.exeStatic PE information: invalid certificate
Source: PA.bin.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce /v afcdpsrv /t REG_SZ /d C:\ProgramData\afcdpsrv.exe /f
Source: classification engineClassification label: mal56.winEXE@8/6@2/3
Source: C:\Users\user\Desktop\PA.bin.exeCode function: 0_2_00405A23 VirtualAlloc,GetDiskFreeSpaceW,0_2_00405A23
Source: C:\Users\user\Desktop\PA.bin.exeCode function: 0_2_02800C75 CreateToolhelp32Snapshot,Thread32First,Wow64SuspendThread,CloseHandle,Thread32Next,CloseHandle,0_2_02800C75
Source: C:\Users\user\Desktop\PA.bin.exeCode function: 0_2_00402AB8 CoCreateInstance,0_2_00402AB8
Source: C:\Users\user\Desktop\PA.bin.exeFile created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\070E0202839D9D67350CD2613E78E416Jump to behavior
Source: C:\Users\user\Desktop\PA.bin.exeMutant created: \Sessions\1\BaseNamedObjects\Global\afcdpsrv
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7308:120:WilError_03
Source: PA.bin.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\PA.bin.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: PA.bin.exeReversingLabs: Detection: 45%
Source: PA.bin.exeVirustotal: Detection: 38%
Source: PA.bin.exeString found in binary or memory: /cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power
Source: PA.bin.exeString found in binary or memory: /cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power
Source: PA.bin.exeString found in binary or memory: /cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.ins
Source: PA.bin.exeString found in binary or memory: /cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.ins
Source: PA.bin.exeString found in binary or memory: concurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:sec
Source: PA.bin.exeString found in binary or memory: concurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:sec
Source: PA.bin.exeString found in binary or memory: runtime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:sec
Source: PA.bin.exeString found in binary or memory: runtime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:sec
Source: PA.bin.exeString found in binary or memory: uncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescruntime: inconsistent write deadlineUnable t
Source: PA.bin.exeString found in binary or memory: uncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescruntime: inconsistent write deadlineUnable t
Source: PA.bin.exeString found in binary or memory: runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescruntime:
Source: PA.bin.exeString found in binary or memory: runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescruntime:
Source: PA.bin.exeString found in binary or memory: lfstack node allocated from the heap) is larger than maximum page size (key size not a multiple of key alignruntime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser are
Source: PA.bin.exeString found in binary or memory: lfstack node allocated from the heap) is larger than maximum page size (key size not a multiple of key alignruntime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser are
Source: PA.bin.exeString found in binary or memory: ) is larger than maximum page size (key size not a multiple of key alignruntime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime:
Source: PA.bin.exeString found in binary or memory: ) is larger than maximum page size (key size not a multiple of key alignruntime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime:
Source: afcdpsrv.exeString found in binary or memory: /cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power
Source: afcdpsrv.exeString found in binary or memory: /cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power
Source: afcdpsrv.exeString found in binary or memory: /cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.ins
Source: afcdpsrv.exeString found in binary or memory: /cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.ins
Source: afcdpsrv.exeString found in binary or memory: concurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:sec
Source: afcdpsrv.exeString found in binary or memory: concurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:sec
Source: afcdpsrv.exeString found in binary or memory: runtime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:sec
Source: afcdpsrv.exeString found in binary or memory: runtime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:sec
Source: afcdpsrv.exeString found in binary or memory: uncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescruntime: inconsistent write deadlineUnable t
Source: afcdpsrv.exeString found in binary or memory: uncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescruntime: inconsistent write deadlineUnable t
Source: afcdpsrv.exeString found in binary or memory: runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescruntime:
Source: afcdpsrv.exeString found in binary or memory: runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescruntime:
Source: afcdpsrv.exeString found in binary or memory: lfstack node allocated from the heap) is larger than maximum page size (key size not a multiple of key alignruntime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser are
Source: afcdpsrv.exeString found in binary or memory: lfstack node allocated from the heap) is larger than maximum page size (key size not a multiple of key alignruntime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser are
Source: afcdpsrv.exeString found in binary or memory: ) is larger than maximum page size (key size not a multiple of key alignruntime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime:
Source: afcdpsrv.exeString found in binary or memory: ) is larger than maximum page size (key size not a multiple of key alignruntime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime:
Source: afcdpsrv.exeString found in binary or memory: /cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.ins
Source: afcdpsrv.exeString found in binary or memory: /cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.ins
Source: afcdpsrv.exeString found in binary or memory: /cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power
Source: afcdpsrv.exeString found in binary or memory: /cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power
Source: afcdpsrv.exeString found in binary or memory: runtime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:sec
Source: afcdpsrv.exeString found in binary or memory: runtime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:sec
Source: afcdpsrv.exeString found in binary or memory: concurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:sec
Source: afcdpsrv.exeString found in binary or memory: concurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:sec
Source: afcdpsrv.exeString found in binary or memory: uncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescruntime: inconsistent write deadlineUnable t
Source: afcdpsrv.exeString found in binary or memory: uncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescruntime: inconsistent write deadlineUnable t
Source: afcdpsrv.exeString found in binary or memory: runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescruntime:
Source: afcdpsrv.exeString found in binary or memory: runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescruntime:
Source: afcdpsrv.exeString found in binary or memory: ) is larger than maximum page size (key size not a multiple of key alignruntime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime:
Source: afcdpsrv.exeString found in binary or memory: ) is larger than maximum page size (key size not a multiple of key alignruntime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime:
Source: afcdpsrv.exeString found in binary or memory: lfstack node allocated from the heap) is larger than maximum page size (key size not a multiple of key alignruntime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser are
Source: afcdpsrv.exeString found in binary or memory: lfstack node allocated from the heap) is larger than maximum page size (key size not a multiple of key alignruntime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser are
Source: C:\Users\user\Desktop\PA.bin.exeFile read: C:\Users\user\Desktop\PA.bin.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\PA.bin.exe "C:\Users\user\Desktop\PA.bin.exe"
Source: C:\Users\user\Desktop\PA.bin.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c "reg add HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce /v afcdpsrv /t REG_SZ /d C:\ProgramData\afcdpsrv.exe /f"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce /v afcdpsrv /t REG_SZ /d C:\ProgramData\afcdpsrv.exe /f
Source: unknownProcess created: C:\ProgramData\afcdpsrv.exe "C:\ProgramData\afcdpsrv.exe"
Source: unknownProcess created: C:\ProgramData\afcdpsrv.exe "C:\ProgramData\afcdpsrv.exe"
Source: C:\Users\user\Desktop\PA.bin.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c "reg add HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce /v afcdpsrv /t REG_SZ /d C:\ProgramData\afcdpsrv.exe /f"Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce /v afcdpsrv /t REG_SZ /d C:\ProgramData\afcdpsrv.exe /fJump to behavior
Source: C:\Users\user\Desktop\PA.bin.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\PA.bin.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\PA.bin.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Users\user\Desktop\PA.bin.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Users\user\Desktop\PA.bin.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\Desktop\PA.bin.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Users\user\Desktop\PA.bin.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Users\user\Desktop\PA.bin.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Users\user\Desktop\PA.bin.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Users\user\Desktop\PA.bin.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Users\user\Desktop\PA.bin.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Users\user\Desktop\PA.bin.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Users\user\Desktop\PA.bin.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\user\Desktop\PA.bin.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Users\user\Desktop\PA.bin.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\Desktop\PA.bin.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Users\user\Desktop\PA.bin.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\Desktop\PA.bin.exeSection loaded: cryptnet.dllJump to behavior
Source: C:\Users\user\Desktop\PA.bin.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Users\user\Desktop\PA.bin.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\Desktop\PA.bin.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\PA.bin.exeSection loaded: webio.dllJump to behavior
Source: C:\Users\user\Desktop\PA.bin.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\Desktop\PA.bin.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\PA.bin.exeSection loaded: cabinet.dllJump to behavior
Source: C:\ProgramData\afcdpsrv.exeSection loaded: apphelp.dllJump to behavior
Source: C:\ProgramData\afcdpsrv.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\ProgramData\afcdpsrv.exeSection loaded: powrprof.dllJump to behavior
Source: C:\ProgramData\afcdpsrv.exeSection loaded: umpdc.dllJump to behavior
Source: C:\ProgramData\afcdpsrv.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\ProgramData\afcdpsrv.exeSection loaded: powrprof.dllJump to behavior
Source: C:\ProgramData\afcdpsrv.exeSection loaded: umpdc.dllJump to behavior
Source: PA.bin.exeStatic file information: File size 30629068 > 1048576
Source: PA.bin.exeStatic PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x353800
Source: Binary string: e.pDB.fu(nc13 source: PA.bin.exe, 00000000.00000002.3113895670.0000000003038000.00000004.00000020.00020000.00000000.sdmp, afcdpsrv.exe, 0000000B.00000003.1653949115.00000000030C1000.00000004.00000020.00020000.00000000.sdmp, afcdpsrv.exe, 0000000C.00000003.1739621905.0000000003269000.00000004.00000020.00020000.00000000.sdmp
Source: C:\Users\user\Desktop\PA.bin.exeCode function: 0_2_00405A23 push ebx; mov dword ptr [esp], 00430AE0h0_2_004063A7
Source: C:\Users\user\Desktop\PA.bin.exeCode function: 0_2_00404590 push eax; mov dword ptr [esp], ebx0_2_00404693
Source: C:\Users\user\Desktop\PA.bin.exeCode function: 0_2_00404E54 push ebx; mov dword ptr [esp], 00430AE0h0_2_004063A7
Source: C:\Users\user\Desktop\PA.bin.exeCode function: 0_2_00403255 push edi; mov dword ptr [esp], eax0_2_004032CF
Source: C:\Users\user\Desktop\PA.bin.exeCode function: 0_2_00406A74 push edx; mov dword ptr [esp], esi0_2_00406AA9
Source: C:\Users\user\Desktop\PA.bin.exeCode function: 0_2_00401000 push eax; mov dword ptr [esp], ebx0_2_0040120E
Source: C:\Users\user\Desktop\PA.bin.exeCode function: 0_2_00402804 push esi; mov dword ptr [esp], eax0_2_00402811
Source: C:\Users\user\Desktop\PA.bin.exeCode function: 0_2_00408C37 push eax; mov dword ptr [esp], ebx0_2_00408C9A
Source: C:\Users\user\Desktop\PA.bin.exeCode function: 0_2_00408C37 push ecx; mov dword ptr [esp], ebx0_2_00408D06
Source: C:\Users\user\Desktop\PA.bin.exeCode function: 0_2_00402CC6 push esi; mov dword ptr [esp], eax0_2_00402D69
Source: C:\Users\user\Desktop\PA.bin.exeCode function: 0_2_004018C8 push eax; mov dword ptr [esp], ebx0_2_004019A4
Source: C:\Users\user\Desktop\PA.bin.exeCode function: 0_2_004044D0 push eax; mov dword ptr [esp], ebx0_2_004044ED
Source: C:\Users\user\Desktop\PA.bin.exeCode function: 0_2_004044D0 push eax; mov dword ptr [esp], ebx0_2_0040450D
Source: C:\Users\user\Desktop\PA.bin.exeCode function: 0_2_00401E84 push esi; mov dword ptr [esp], eax0_2_00401E91
Source: C:\Users\user\Desktop\PA.bin.exeCode function: 0_2_0040368E push eax; mov dword ptr [esp], esi0_2_004036B7
Source: C:\Users\user\Desktop\PA.bin.exeCode function: 0_2_00402E93 push edx; mov dword ptr [esp], esi0_2_00402EC0
Source: C:\Users\user\Desktop\PA.bin.exeCode function: 0_2_00402E93 push ecx; mov dword ptr [esp], esi0_2_00402ED1
Source: C:\Users\user\Desktop\PA.bin.exeCode function: 0_2_00401E9E push edx; mov dword ptr [esp], eax0_2_00401EC9
Source: C:\Users\user\Desktop\PA.bin.exeCode function: 0_2_004026A5 push ecx; mov dword ptr [esp], FFFFFFECh0_2_004026DD
Source: C:\Users\user\Desktop\PA.bin.exeCode function: 0_2_004014AA push edx; mov dword ptr [esp], eax0_2_004014CC
Source: C:\Users\user\Desktop\PA.bin.exeCode function: 0_2_004074BA push eax; mov dword ptr [esp], 0042FAC0h0_2_004074F3
Source: C:\Users\user\Desktop\PA.bin.exeCode function: 0_2_004088BD push ecx; mov dword ptr [esp], edi0_2_00408AF4
Source: C:\Users\user\Desktop\PA.bin.exeCode function: 0_2_00401541 push eax; mov dword ptr [esp], 00000003h0_2_00401669
Source: C:\Users\user\Desktop\PA.bin.exeCode function: 0_2_00401B66 push edx; mov dword ptr [esp], eax0_2_00401BB9
Source: C:\Users\user\Desktop\PA.bin.exeCode function: 0_2_00401B66 push ecx; mov dword ptr [esp], 00418100h0_2_00401BD0
Source: C:\Users\user\Desktop\PA.bin.exeCode function: 0_2_00402F74 push eax; mov dword ptr [esp], 00419100h0_2_00403005
Source: C:\Users\user\Desktop\PA.bin.exeCode function: 0_2_0040411D push ecx; mov dword ptr [esp], edi0_2_004041A7
Source: C:\Users\user\Desktop\PA.bin.exeCode function: 0_2_004019C5 push ebx; mov dword ptr [esp], eax0_2_004019D0
Source: C:\Users\user\Desktop\PA.bin.exeCode function: 0_2_004075EC push eax; mov dword ptr [esp], 00000004h0_2_0040769A
Source: C:\Users\user\Desktop\PA.bin.exeCode function: 0_2_004075EC push eax; mov dword ptr [esp], ebx0_2_004078FE
Source: C:\Users\user\Desktop\PA.bin.exeCode function: 0_2_004075EC push edx; mov dword ptr [esp], ebx0_2_0040790D
Source: C:\Users\user\Desktop\PA.bin.exeFile created: C:\ProgramData\afcdpsrv.exeJump to dropped file
Source: C:\Users\user\Desktop\PA.bin.exeFile created: C:\ProgramData\afcdpsrv.exeJump to dropped file
Source: C:\Windows\SysWOW64\reg.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce afcdpsrvJump to behavior
Source: C:\Windows\SysWOW64\reg.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce afcdpsrvJump to behavior
Source: C:\Windows\SysWOW64\reg.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce afcdpsrvJump to behavior
Source: C:\Windows\SysWOW64\reg.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce afcdpsrvJump to behavior
Source: C:\Users\user\Desktop\PA.bin.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
Source: C:\Users\user\Desktop\PA.bin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PA.bin.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\conhost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\ProgramData\afcdpsrv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\ProgramData\afcdpsrv.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\ProgramData\afcdpsrv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\ProgramData\afcdpsrv.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\ProgramData\afcdpsrv.exeAPI coverage: 6.5 %
Source: C:\Users\user\Desktop\PA.bin.exe TID: 7388Thread sleep time: -60000s >= -30000sJump to behavior
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Users\user\Desktop\PA.bin.exeCode function: 0_2_00403648 FindFirstFileW,0_2_00403648
Source: C:\Users\user\Desktop\PA.bin.exeCode function: 0_2_00408C37 DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_00408C37
Source: C:\Users\user\Desktop\PA.bin.exeCode function: 0_2_00408B4B FindFirstFileW,FindClose,0_2_00408B4B
Source: C:\ProgramData\afcdpsrv.exeCode function: 12_2_00403648 FindFirstFileW,12_2_00403648
Source: C:\ProgramData\afcdpsrv.exeCode function: 12_2_00408C37 DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,12_2_00408C37
Source: C:\ProgramData\afcdpsrv.exeCode function: 12_2_00408B4B FindFirstFileW,FindClose,12_2_00408B4B
Source: PA.bin.exe, 00000000.00000002.3112075529.000000000010E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWp
Source: PA.bin.exe, 00000000.00000003.2050099775.0000000000173000.00000004.00000020.00020000.00000000.sdmp, PA.bin.exe, 00000000.00000002.3112075529.0000000000173000.00000004.00000020.00020000.00000000.sdmp, PA.bin.exe, 00000000.00000003.1451158216.000000000019E000.00000004.00000020.00020000.00000000.sdmp, PA.bin.exe, 00000000.00000002.3112075529.00000000001A1000.00000004.00000020.00020000.00000000.sdmp, PA.bin.exe, 00000000.00000003.2050078181.00000000001A0000.00000004.00000020.00020000.00000000.sdmp, PA.bin.exe, 00000000.00000003.1450665288.000000000019E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
Source: afcdpsrv.exe, 0000000C.00000002.1740920400.0000000000AF8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: afcdpsrv.exe, 0000000B.00000002.1655213332.0000000000B5E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll$
Source: C:\Users\user\Desktop\PA.bin.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Users\user\Desktop\PA.bin.exeCode function: 0_2_00FF143D RtlInitAnsiString,LdrGetProcedureAddress,0_2_00FF143D
Source: C:\Users\user\Desktop\PA.bin.exeCode function: 0_2_02800000 mov edx, dword ptr fs:[00000030h]0_2_02800000
Source: C:\Users\user\Desktop\PA.bin.exeCode function: 0_2_02800B25 mov eax, dword ptr fs:[00000030h]0_2_02800B25
Source: C:\Users\user\Desktop\PA.bin.exeCode function: 0_2_02800ED5 mov eax, dword ptr fs:[00000030h]0_2_02800ED5
Source: C:\Users\user\Desktop\PA.bin.exeCode function: 0_2_02801B63 mov eax, dword ptr fs:[00000030h]0_2_02801B63
Source: C:\Users\user\Desktop\PA.bin.exeCode function: 0_2_02801174 mov eax, dword ptr fs:[00000030h]0_2_02801174
Source: C:\Users\user\Desktop\PA.bin.exeCode function: 0_2_02801175 mov eax, dword ptr fs:[00000030h]0_2_02801175
Source: C:\ProgramData\afcdpsrv.exeCode function: 11_2_02990000 mov edx, dword ptr fs:[00000030h]11_2_02990000
Source: C:\ProgramData\afcdpsrv.exeCode function: 11_2_02990B25 mov eax, dword ptr fs:[00000030h]11_2_02990B25
Source: C:\ProgramData\afcdpsrv.exeCode function: 11_2_02990ED5 mov eax, dword ptr fs:[00000030h]11_2_02990ED5
Source: C:\ProgramData\afcdpsrv.exeCode function: 11_2_02991175 mov eax, dword ptr fs:[00000030h]11_2_02991175
Source: C:\ProgramData\afcdpsrv.exeCode function: 11_2_02991174 mov eax, dword ptr fs:[00000030h]11_2_02991174
Source: C:\ProgramData\afcdpsrv.exeCode function: 11_2_02991B63 mov eax, dword ptr fs:[00000030h]11_2_02991B63
Source: C:\ProgramData\afcdpsrv.exeCode function: 12_2_02B30000 mov edx, dword ptr fs:[00000030h]12_2_02B30000
Source: C:\ProgramData\afcdpsrv.exeCode function: 12_2_02B30B25 mov eax, dword ptr fs:[00000030h]12_2_02B30B25
Source: C:\ProgramData\afcdpsrv.exeCode function: 12_2_02B30ED5 mov eax, dword ptr fs:[00000030h]12_2_02B30ED5
Source: C:\ProgramData\afcdpsrv.exeCode function: 12_2_02B31175 mov eax, dword ptr fs:[00000030h]12_2_02B31175
Source: C:\ProgramData\afcdpsrv.exeCode function: 12_2_02B31174 mov eax, dword ptr fs:[00000030h]12_2_02B31174
Source: C:\ProgramData\afcdpsrv.exeCode function: 12_2_02B31B63 mov eax, dword ptr fs:[00000030h]12_2_02B31B63
Source: C:\Users\user\Desktop\PA.bin.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c "reg add HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce /v afcdpsrv /t REG_SZ /d C:\ProgramData\afcdpsrv.exe /f"Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce /v afcdpsrv /t REG_SZ /d C:\ProgramData\afcdpsrv.exe /fJump to behavior
Source: C:\Users\user\Desktop\PA.bin.exeQueries volume information: C:\Users\user\Desktop\PA.bin.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PA.bin.exeCode function: 0_2_00404590 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,GetModuleHandleA,0_2_00404590
Source: C:\Users\user\Desktop\PA.bin.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Command and Scripting Interpreter		1
Registry Run Keys / Startup Folder		11
Process Injection		1
Masquerading		OS Credential Dumping1
Query Registry		Remote Services1
Archive Collected Data		1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/Job1
DLL Side-Loading		1
Registry Run Keys / Startup Folder		1
Modify Registry		LSASS Memory11
Security Software Discovery		Remote Desktop Protocol1
Clipboard Data		1
Non-Standard Port		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
DLL Side-Loading		1
Virtualization/Sandbox Evasion		Security Account Manager1
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared Drive1
Ingress Tool Transfer		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
Process Injection		NTDS2
Process Discovery		Distributed Component Object ModelInput Capture2
Non-Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
Deobfuscate/Decode Files or Information		LSA Secrets1
File and Directory Discovery		SSHKeylogging2
Application Layer Protocol		Scheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
Obfuscated Files or Information		Cached Domain Credentials14
System Information Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
DLL Side-Loading		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1663629 Sample: PA.bin.exe Startdate: 12/04/2025 Architecture: WINDOWS Score: 56 25 x.ss2.us 2->25 27 data-seed-prebsc-1-s1.binance.org 2->27 29 a8a00b7a27dd309f6.awsglobalaccelerator.com 2->29 37 Multi AV Scanner detection for submitted file 2->37 8 afcdpsrv.exe 2->8         started        11 PA.bin.exe 3 2->11         started        15 afcdpsrv.exe 2->15         started        signatures3 process4 dnsIp5 39 Multi AV Scanner detection for dropped file 8->39 31 a8a00b7a27dd309f6.awsglobalaccelerator.com 15.197.198.189, 49723, 8545 TANDEMUS United States 11->31 33 x.ss2.us 18.64.155.73, 49724, 80 MIT-GATEWAYSUS United States 11->33 35 62.60.234.80, 1466 ASLINE-AS-APASLINELIMITEDHK Iran (ISLAMIC Republic Of) 11->35 23 C:\ProgramData\afcdpsrv.exe, PE32 11->23 dropped 17 cmd.exe 1 11->17         started        file6 signatures7 process8 process9 19 conhost.exe 17->19         started        21 reg.exe 1 1 17->21         started       

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.