Information Discovery
Expresses interest in specific running processes Show sources
| api_process_name | BitTorrentBar2AutoUpdateHelper.exe |
| api_process_name | rundll32.exe |
| api_process_name | iexplore.exe |
Reads data out of its own binary image Show sources
| api_process_name | process: 267ef53ea1a203e5181a3ab0d7ad860085834b19.exe, pid: 2940, offset: 0x00000000, length: 0x0020bece |
| api_process_name | process: 267ef53ea1a203e5181a3ab0d7ad860085834b19.exe, pid: 2940, offset: 0x0000c01c, length: 0x00008fcb |
| api_process_name | process: 267ef53ea1a203e5181a3ab0d7ad860085834b19.exe, pid: 2940, offset: 0x00055d43, length: 0x00021a47 |
| api_process_name | process: 267ef53ea1a203e5181a3ab0d7ad860085834b19.exe, pid: 2940, offset: 0x0007378a, length: 0x00108ef0 |
| api_process_name | process: 267ef53ea1a203e5181a3ab0d7ad860085834b19.exe, pid: 2940, offset: 0x0007778a, length: 0x0014cef0 |
| api_process_name | process: 267ef53ea1a203e5181a3ab0d7ad860085834b19.exe, pid: 2940, offset: 0x0017c67a, length: 0x000488d3 |
| api_process_name | process: 267ef53ea1a203e5181a3ab0d7ad860085834b19.exe, pid: 2940, offset: 0x001c467a, length: 0x00007ce3 |
| api_process_name | process: 267ef53ea1a203e5181a3ab0d7ad860085834b19.exe, pid: 2940, offset: 0x00206c3f, length: 0x00005293 |
| api_process_name | process: BitTorrentBar2AutoUpdateHelper.exe, pid: 504, offset: 0x00000000, length: 0x002b4cc9 |
| api_process_name | process: BitTorrentBar2AutoUpdateHelper.exe, pid: 504, offset: 0x0000c21c, length: 0x002a8ab1 |
Networking
Attempts to connect to a dead IP:Port (54 unique times) Show sources
| network_host_ip | 205.185.216.10:80 (United States) |
| network_host_ip | 104.17.28.15:80 (unknown) |
| network_host_ip | 82.163.248.194:443 (United Kingdom) |
| network_host_ip | 172.217.10.234:80 (United States) |
| network_host_ip | 195.78.120.73:80 (Netherlands) |
| network_host_ip | 195.78.120.93:80 (Netherlands) |
| network_host_ip | 172.217.10.67:80 (United States) |
| network_host_ip | 199.101.114.130:80 (United States) |
| network_host_ip | 52.216.101.21:80 (United States) |
| network_host_ip | 23.67.250.107:80 (United States) |
| network_host_ip | 184.26.44.97:80 (United States) |
| network_host_ip | 199.101.114.106:80 (United States) |
| network_host_ip | 199.101.114.100:80 (United States) |
| network_host_ip | 72.21.91.29:80 (United States) |
| network_host_ip | 23.67.250.115:80 (United States) |
| network_host_ip | 195.78.120.182:80 (Netherlands) |
| network_host_ip | 23.4.187.27:80 (United States) |
| network_host_ip | 195.78.120.104:80 (Netherlands) |
| network_host_ip | 172.217.12.194:80 (United States) |
| network_host_ip | 195.78.120.83:80 (Netherlands) |
| network_host_ip | 23.50.230.12:80 (United States) |
| network_host_ip | 104.107.44.23:80 (unknown) |
| network_host_ip | 82.163.248.194:80 (United Kingdom) |
| network_host_ip | 54.231.49.234:80 (United States) |
| network_host_ip | 195.78.120.102:80 (Netherlands) |
| network_host_ip | 172.217.10.46:80 (United States) |
| network_host_ip | 172.217.3.110:80 (United States) |
| network_host_ip | 172.217.10.238:80 (United States) |
| network_host_ip | 199.101.115.202:80 (United States) |
| network_host_ip | 173.194.68.82:80 (United States) |
| network_host_ip | 34.198.95.87:80 (United States) |
| network_host_ip | 23.4.181.163:80 (United States) |
| network_host_ip | 52.216.229.99:80 (United States) |
| network_host_ip | 195.78.120.79:80 (Netherlands) |
| network_host_ip | 54.243.137.87:80 (United States) |
| network_host_ip | 18.216.93.150:80 (United States) |
| network_host_ip | 72.246.43.51:80 (United States) |
| network_host_ip | 195.78.120.80:80 (Netherlands) |
| network_host_ip | 66.150.118.61:80 (United States) |
| network_host_ip | 23.67.250.96:80 (United States) |
| network_host_ip | 23.67.250.112:80 (United States) |
| network_host_ip | 172.217.10.66:443 (United States) |
| network_host_ip | 172.217.10.226:443 (United States) |
| network_host_ip | 52.216.86.35:80 (United States) |
| network_host_ip | 172.217.12.202:80 (United States) |
| network_host_ip | 69.28.187.228:80 (United States) |
| network_host_ip | 184.26.44.104:80 (United States) |
| network_host_ip | 172.217.6.238:80 (United States) |
| network_host_ip | 199.101.114.251:80 (United States) |
| network_host_ip | 23.200.109.88:80 (United States) |
| network_host_ip | 52.85.101.89:80 (United States) |
| network_host_ip | 93.184.216.182:80 (United States) |
| network_host_ip | 72.246.43.9:80 (United States) |
| network_host_ip | 172.217.6.226:80 (United States) |
HTTP traffic contains suspicious features which may be indicative of malware related traffic Show sources
| network_anomaly | HTTP traffic contains a POST request with no referer header |
| network_anomaly | HTTP traffic contains a GET request with no user-agent header |
| network_anomaly | http://usage.toolbar.conduit-services.com/ToolbarUsage.ashx |
| network_anomaly | http://servicemap.conduit-services.com/Toolbar/?ownerId=CT3045275 |
| network_anomaly | http://bittorrentbar2.ourtoolbar.com/SetupFinish |
| network_anomaly | http://bittorrentbar2.ourtoolbar.com/SetupFinish/ |
| network_anomaly | http://bittorrentbar2.ourtoolbar.com/welcome/default.aspx |
| network_anomaly | http://www.bittorrent.com/downloads/install-complete |
| network_anomaly | http://www.bittorrent.com/stylesheets/frog/grid.css?1406221364 |
| network_anomaly | http://www.bittorrent.com/stylesheets/animate-custom.css?1453258658 |
| network_anomaly | http://www.bittorrent.com/scripts/site/jquery.smartbanner.js |
| network_anomaly | http://fonts.googleapis.com/css?family=Open+Sans:300italic,400italic,600,300,400,700&subset=latin,cyrillic,latin-ext |
| network_anomaly | http://www.bittorrent.com/stylesheets/jquery.smartbanner.css?1409068875 |
| network_anomaly | http://netdna.bootstrapcdn.com/font-awesome/4.0.3/css/font-awesome.css |
| network_anomaly | http://fast.fonts.net/cssapi/84df605e-600d-4cfa-a1a4-bd36ef0a22ad.css |
| network_anomaly | http://ajax.googleapis.com/ajax/libs/jquery/1.11.1/jquery.min.js |
| network_anomaly | http://www.bittorrent.com/stylesheets/frog/frog.css?1466697757 |
| network_anomaly | http://www.bittorrent.com/stylesheets/frog/panels.css?1520374749 |
| network_anomaly | http://www.bittorrent.com/stylesheets/animate-custom.css?1409068875 |
| network_anomaly | http://netdna.bootstrapcdn.com/font-awesome/4.0.3/fonts/fontawesome-webfont.eot? |
| network_anomaly | http://fonts.gstatic.com/s/opensans/v15/mem8YaGs126MiZpBA-U1Uw.eot |
| network_anomaly | http://www.googletagservices.com/tag/js/gpt.js |
| network_anomaly | http://www.bittorrent.com/scripts/site/detection.js |
| network_anomaly | http://www.googleadservices.com/pagead/conversion.js |
| network_anomaly | http://settings.toolbar.search.conduit.com/root/CT3045275/CT3045275 |
| network_anomaly | http://appsmetadata.toolbar.conduit-services.com/?ctid=CT3045275 |
| network_anomaly | http://clientlog.users.conduit.com/ |
| network_anomaly | http://www.bittorrent.com/scripts/site/respond.min.js?1371775856 |
| network_anomaly | http://html5shiv.googlecode.com/svn/trunk/html5.js |
| network_anomaly | http://cdn.optimizely.com/js/50136351.js |
| network_anomaly | http://storage.stgbssint.com/75/304/CT3045275/Images/634220815653506250.png |
| network_anomaly | http://storage.stgbssint.com/images/searchengines/go_btn_new.gif |
| network_anomaly | http://storage.stgbssint.com/MarketPlace/93/ce3/93951332-f9a7-4af7-af02-17ec3d749ce3/Appearance/634159521796627506_24x24.png |
| network_anomaly | http://storage.stgbssint.com/92/279/CT2790392/Images/634220879921318750.png |
| network_anomaly | http://storage.stgbssint.com/75/304/CT3045275/images/634818561434829991_24PX.png |
| network_anomaly | http://storage.stgbssint.com/75/304/CT3045275/Images/634225281783662500.png |
| network_anomaly | http://storage.stgbssint.com/92/279/CT2790392/Images/634225278165850000.png |
| network_anomaly | http://storage.stgbssint.com/92/279/CT2790392/Images/634225280526593750.png |
| network_anomaly | http://storage.stgbssint.com/92/279/CT2790392/Images/634225279692725000.png |
| network_anomaly | http://storage.stgbssint.com/92/279/CT2790392/Images/634225280304131250.png |
| network_anomaly | http://storage.stgbssint.com/92/279/CT2790392/Images/634225281436162500.png |
| network_anomaly | http://storage.stgbssint.com/92/279/CT2790392/Images/634225280643975000.png |
| network_anomaly | http://storage.stgbssint.com/92/279/CT2790392/Images/634225284383662500.png |
| network_anomaly | http://storage.stgbssint.com/92/279/CT2790392/Images/634225284881631250.png |
| network_anomaly | http://storage.stgbssint.com/92/279/CT2790392/Images/634225279948156250.png |
| network_anomaly | http://storage.stgbssint.com/92/279/CT2790392/Images/634225287181631250.png |
| network_anomaly | http://storage.stgbssint.com/92/279/CT2790392/Images/634225287547412500.png |
| network_anomaly | http://storage.stgbssint.com/75/304/CT3045275/Images/634244833256762500.png |
| network_anomaly | http://storage.stgbssint.com/75/304/CT3045275/Images/634226713903631250.png |
| network_anomaly | http://contextmenu.toolbar.conduit-services.com/?name=Toolbar&locale=EB_LOCALE&ctid=CT3045275&UM=UM_UNINSTALL_ID |
| network_anomaly | http://contextmenu.toolbar.conduit-services.com/?name=SharedApps&locale=EB_LOCALE&ctid=CT3045275 |
| network_anomaly | http://contextmenu.toolbar.conduit-services.com/?name=OtherApps&locale=EB_LOCALE&ctid=CT3045275 |
| network_anomaly | http://storage.stgbssint.com/images/searchengines/search_icon.gif |
| network_anomaly | http://storage.stgbssint.com/images/SearchEngines/images_search.gif |
| network_anomaly | http://storage.stgbssint.com/images/SearchEngines/video.gif |
| network_anomaly | http://contextmenu.toolbar.conduit-services.com/?name=GottenApps&locale=EB_LOCALE&ctid=CT3045275 |
| network_anomaly | http://storage.stgbssint.com/images/SearchEngines/news_icon.gif |
| network_anomaly | http://storage.stgbssint.com/images/SearchEngines/tfd.gif |
| network_anomaly | http://storage.stgbssint.com/images/searchengines/softonic.gif |
| network_anomaly | http://storage.stgbssint.com/images/main_menu_upgrade.gif |
| network_anomaly | http://storage.stgbssint.com/bankImages/ConduitEngine/ContextMenu/LikeIcon.png |
| network_anomaly | http://storage.stgbssint.com/images/main_menu_help.gif |
| network_anomaly | http://storage.stgbssint.com/images/main_menu_privacy.gif |
| network_anomaly | http://storage.stgbssint.com/images/main_menu_home_page.gif |
| network_anomaly | http://storage.stgbssint.com/images/main_menu_about.gif |
| network_anomaly | http://storage.stgbssint.com/images/main_menu_contact.gif |
| network_anomaly | http://storage.stgbssint.com/images/eula.png |
| network_anomaly | http://tbclient.tbccint.com/plugins/pricegong/Download/{5E1360DC-8FA8-40df-A8CD-FC3831B3634B}.cpi |
| network_anomaly | http://storage.stgbssint.com/images/main_menu_options.gif |
| network_anomaly | http://storage.stgbssint.com/images/main_menu_shrink.gif |
| network_anomaly | http://storage.stgbssint.com/images/main_menu_clear_history.gif |
| network_anomaly | http://storage.stgbssint.com/images/main_menu_refresh.gif |
| network_anomaly | http://storage.stgbssint.com/images/Menu/uninstall-icon.png |
| network_anomaly | http://emailnotifier.services.conduit.com/MailProvider/MailProvidersServices.asmx/GetMailProvidersInfo |
| network_anomaly | http://storage.stgbssint.com/ps/searchmod/embedded.html |
| network_anomaly | http://rss.cnn.com/rss/cnn_latest.rss |
| network_anomaly | http://toolbarstats.s3.amazonaws.com/stats_dyn.html?tbv=1&tbn=0 |
| network_anomaly | http://storage.Conduit.com/bankImages/ConduitEngine/ContextMenu/More.png |
| network_anomaly | http://storage.Conduit.com/bankImages/ConduitEngine/ContextMenu/LikeIcon.png |
| network_anomaly | http://storage.Conduit.com/bankImages/ConduitEngine/ContextMenu/Upgrade.png |
| network_anomaly | http://storage.Conduit.com/bankImages/ConduitEngine/ContextMenu/Browse.png |
| network_anomaly | http://storage.Conduit.com/bankImages/ConduitEngine/ContextMenu/Options.png |
| network_anomaly | http://storage.Conduit.com/bankImages/ConduitEngine/ContextMenu/Refresh.png |
| network_anomaly | http://weather.tbccint.com/weatherrequest.ctp?type=search&platform=IE&source=1&ctid=CT3045275&octid=CT3045275&locale=en&cityname=ebifeellucky |
| network_anomaly | http://storage.Conduit.com/bankImages/ConduitEngine/ContextMenu/Hide.png |
| network_anomaly | http://storage.Conduit.com/bankImages/ConduitEngine/ContextMenu/Privacy.png |
| network_anomaly | http://storage.Conduit.com/bankImages/ConduitEngine/ContextMenu/About.png |
| network_anomaly | http://storage.Conduit.com/bankImages/ConduitEngine/ContextMenu/Contact.png |
| network_anomaly | http://storage.Conduit.com/bankImages/ConduitEngine/ContextMenu/MoreFromPublisher.png |
| network_anomaly | http://users.conduit.com/iis2ebs.asp |
| network_anomaly | http://api.conduit.com/BrowserCompApi.js |
| network_anomaly | http://login.toolbar.conduit-services.com/Login.ashx |
| network_anomaly | http://crl.geotrust.com/crls/secureca.crl |
| network_anomaly | http://g.symcd.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSxtDkXkBa3l3lQEfFgudSiPNvt7gQUAPkqw0GRtsnCuD5V8sCXEROgByACEAEAISWIsPpZp3fvBXtmJ98%3D |
| network_anomaly | http://newtab.conduit-hosting.com/newtab/?ctid=CT3045275&UM=UM_ID |
| network_anomaly | http://ocsp.pki.goog/gsr2/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBTgXIsxbvr2lBkPpoIEVRE6gHlCnAQUm%2BIHV2ccHsBqBt5ZtJot39wZhi4CDQHjqTAc%2FHIGOD%2BaUx0%3D |
| network_anomaly | http://www.google-analytics.com/ga.js |
| network_anomaly | http://clients1.google.com/ocsp/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBTy4Gr5hYodjXCbSRkjeqm1Gih%2BZAQUSt0GFhu89mi1dvWBtrtiGrpagS8CCCl7eXoFMPpY |
| network_anomaly | http://ocsp.pki.goog/GTSGIAG3/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBT27bBjYjKBmjX2jXWgnQJKEapsrQQUd8K4UJpndnaxLcKG0IOgfqZ%2BuksCCAqPCnhmlE7t |
| network_anomaly | http://crl.pki.goog/GTSGIAG3.crl |
| network_anomaly | http://api.search.conduit.com/Settings/?ctid=CT3045275&um=UM_ID |
| network_anomaly | http://counting.usage.toolbar.conduit-services.com/usage.ashx |
| network_anomaly | http://tracking.usage.app.conduit-services.com/FirstTime.ashx?current=New |
| network_anomaly | http://settings.pricegong.com/settings.ashx?bt=ie&bv=8.0.7601.17514&os=6.1_Service%20Pack%201&defbt=ff&pver=1&app=PriceGong&cver=3.6.12&pglv=&cnum=20503A4E-080027CB305F&unum=8B4736B7-0F0F-4CDB-AD72-8751D2A6FEBA&disid=cndt&subdisid=CT3045275&tbn=BitTorrentBar2&cdate=&ct=&ug=&cxt=2&impr=5&&ts=0&inst=0&snz=0&du=0&zs=1 |
| network_anomaly | http://clientlog.users.tbccint.com/ClientDiagnostics.asmx/ReportDiagnosticsEvent |
| network_anomaly | http://b.scorecardresearch.com/beacon.js |
| network_anomaly | http://static.bitmedianetwork.com/ados.js |
| network_anomaly | http://www.bittorrent.com/images/logo/logo.png |
| network_anomaly | http://www.bittorrent.com/images/logo/bt_pro.png |
| network_anomaly | http://www.bittorrent.com/scripts/frog/b2.js?1469053878 |
| network_anomaly | http://www.bittorrent.com/images/site/ui_divider.gif |
| network_anomaly | http://www.bittorrent.com/scripts/frog/vendor/jquery.vide.min.js? |
| network_anomaly | http://www.bittorrent.com/scripts/site/retina-1.1.0.min.js |
| network_anomaly | http://www.bittorrent.com/scripts/frog/frog.js?1488849741 |
| network_anomaly | http://www.bittorrent.com/scripts/tracking.js |
| network_anomaly | http://www.bittorrent.com/images/logo/bt_now.png |
| network_anomaly | http://edge.quantserve.com/quant.js |
| network_anomaly | http://www.bittorrent.com/scripts/site/jquery.colorbox-min.js |
| network_anomaly | http://engine.bitmedianetwork.com/ados?t=1523632575922&request={"Placements":[{"A":5682,"S":50614,"D":"azk78385","ATA":[4,925],"Z":[57118],"Properties":{"x-index-domain":"bitmedianetwork.com"}}],"Keywords":"undefined","Referrer":"","IsAsync":true} |
| network_anomaly | http://b.scorecardresearch.com/b?c1=2&c2=17330952&ns__t=1523632575940&ns_c=windows-1252&ns_if=1&cv=3.1&c8=Download%20-%20BitTorrent%C2%AE%20-%20Delivering%20the%20World%E2%80%99s%20Content&c7=http%3A%2F%2Fwww.bittorrent.com%2Fdownloads%2Finstall-complete&c9= |
| network_anomaly | http://weather.tbccint.com/weatherrequest.ctp?type=forecast&imagetype=DEFAULT&ndays=3&locale=en&locationid=USNY0181 |
| network_anomaly | http://pixel.quantserve.com/pixel;r=1197553828;rf=2;a=p-f87ZgUEkM-SZY;url=http%3A%2F%2Fwww.bittorrent.com%2Fdownloads%2Finstall-complete;fpan=1;fpa=P0-132630905-1523636720685;ns=0;ce=1;cm=;ref=;je=1;sr=800x600x32;enc=n;dst=1;et=1523636720667;tzo=-180;ogl=url.http%3A%2F%2Fwww%252Ebittorrent%252Ecom%2Fdownloads%2Finstall-complete%2Ctype.website%2Ctitle.Download%20-%20BitTorrent%C2%AE%20-%20Delivering%20the%20World%E2%80%99s%20Content%2Cdescription.Download%20the%20official%20BitTorrent%C2%AE%20torrent%20client%20for%20Windows%20or%20Mac%E2%80%94from%20the%20inv%2Cimage.http%3A%2F%2Fwww%252Ebittorrent%252Ecom%2Fimages%2Flogo%2Fbtlogo%252Ejpg |
| network_anomaly | http://www.google-analytics.com/__utm.gif?utmwv=5.7.1&utms=1&utmn=52160543&utmhn=storage.stgbssint.com&utmt=event&utme=5(User_State*NU_After_Feb01)&utmcs=utf-8&utmsr=800x600&utmvp=1x26&utmsc=32-bit&utmul=en-us&utmje=1&utmfl=20.0%20r0&utmdt=Search%20App%20-%20Embedded&utmhid=951010623&utmr=-&utmp=%2Fps%2Fsearchmod%2Fembedded.html&utmht=1523641505354&utmac=UA-38050659-1&utmcc=__utma%3D1.604918213.1523620961.1523620961.1523620961.1%3B%2B__utmz%3D1.1523620961.1.1.utmcsr%3D(direct)%7Cutmccn%3D(direct)%7Cutmcmd%3D(none)%3B&utmjid=&utmu=4BAAAAAAAAAAAAAAAAAAAAAE~ |
| network_anomaly | http://www.bittorrent.com/faviconNew.ico |
| network_anomaly | http://www.bittorrent.com/images/colorbox/cancel.png |
| network_anomaly | http://feeds.reuters.com/reuters/topNews |
| network_anomaly | http://rss.news.yahoo.com/rss/world |
| network_anomaly | http://news.google.nl/news?pz=1&cf=all&ned=nl_nl&hl=nl&topic=h&num=3&output=rss |
| network_anomaly | http://news.google.nl/news?cf=all&ned=us&hl=en&topic=h&num=3&output=rss |
| network_anomaly | http://feeds.news.com.au/public/rss/2.0/news_breaking_news_32.xml |
| network_anomaly | http://rss.cbc.ca/lineup/latest.xml |
| network_anomaly | http://newsrss.bbc.co.uk/rss/newsonline_world_edition/front_page/rss.xml |
| network_anomaly | http://www.thesun.co.uk/sol/homepage/feeds/rss/article312900.ece |
| network_anomaly | http://worldpress.org/feeds/topstories.xml |
| network_anomaly | http://news.google.nl/news/headlines |
| network_anomaly | http://news.google.nl/news?cf=all&ned=fr&hl=fr&topic=h&num=3&output=rss |
| network_anomaly | http://news.yahoo.com/rss/world |
| network_anomaly | http://feeds.feedburner.com/newscomaubreakingndm |
| network_anomaly | http://feeds.bbci.co.uk/news/rss.xml?edition=int |
| network_anomaly | http://www.cbc.ca/cmlink/rss-latest |
| network_anomaly | http://clients1.google.com/ocsp/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBTy4Gr5hYodjXCbSRkjeqm1Gih%2BZAQUSt0GFhu89mi1dvWBtrtiGrpagS8CCDdf%2FhHl4xa%2B |
| network_anomaly | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEATh56TcXPLzbcArQrhdFZ8%3D |
| network_anomaly | http://ieupdate.tbccint.com/ver6.18.2.72/tbedrs.dll |
| network_anomaly | http://crl.globalsign.net/primobject.crl |
| network_anomaly | http://servicemap.tbccint.com/Toolbarservice |
| network_anomaly | http://search.conduit.com/favicon.ico |
| network_anomaly | http://usage.toolbar.tbccint.com/ToolbarUsage.ashx |
| network_anomaly | http://toolbar-ie-updater.tbccint.com/update/?productId=TBUpdaterLogic&ver=0.0.0.0&itemId=7b13ec3e-999a-4b70-b9cb-2617b8323822 |
| network_anomaly | http://contextmenu.toolbar.conduit-services.com/?name=Toolbar&locale=en&ctid=CT3045275&UM=UM_UNINSTALL_ID |
| network_anomaly | http://contextmenu.toolbar.conduit-services.com/?name=SharedApps&locale=en&ctid=CT3045275 |
| network_anomaly | http://contextmenu.toolbar.conduit-services.com/?name=OtherApps&locale=en&ctid=CT3045275 |
| network_anomaly | http://contextmenu.toolbar.conduit-services.com/?name=GottenApps&locale=en&ctid=CT3045275 |
| network_anomaly | http://tb-service.databssint.com/ |
| network_anomaly | http://www.msftncsi.com/ncsi.txt |
| network_anomaly | http://storage.stgbssint.com/IEBackgroundContainer/TBUpdaterLogic/4.0.0.2/TBUpdaterLogic.dll |
| network_anomaly | http://www.bing.com/favicon.ico |
Performs some HTTP requests Show sources
| network_url | http://usage.toolbar.conduit-services.com/ToolbarUsage.ashx |
| network_url | http://servicemap.conduit-services.com/Toolbar/?ownerId=CT3045275 |
| network_url | http://bittorrentbar2.ourtoolbar.com/SetupFinish |
| network_url | http://bittorrentbar2.ourtoolbar.com/SetupFinish/ |
| network_url | http://bittorrentbar2.ourtoolbar.com/welcome/default.aspx |
| network_url | http://www.bittorrent.com/downloads/install-complete |
| network_url | http://www.bittorrent.com/stylesheets/frog/grid.css?1406221364 |
| network_url | http://www.bittorrent.com/stylesheets/animate-custom.css?1453258658 |
| network_url | http://www.bittorrent.com/scripts/site/jquery.smartbanner.js |
| network_url | http://fonts.googleapis.com/css?family=Open+Sans:300italic,400italic,600,300,400,700&subset=latin,cyrillic,latin-ext |
| network_url | http://www.bittorrent.com/stylesheets/jquery.smartbanner.css?1409068875 |
| network_url | http://netdna.bootstrapcdn.com/font-awesome/4.0.3/css/font-awesome.css |
| network_url | http://fast.fonts.net/cssapi/84df605e-600d-4cfa-a1a4-bd36ef0a22ad.css |
| network_url | http://ajax.googleapis.com/ajax/libs/jquery/1.11.1/jquery.min.js |
| network_url | http://www.bittorrent.com/stylesheets/frog/frog.css?1466697757 |
| network_url | http://www.bittorrent.com/stylesheets/frog/panels.css?1520374749 |
| network_url | http://www.bittorrent.com/stylesheets/animate-custom.css?1409068875 |
| network_url | http://netdna.bootstrapcdn.com/font-awesome/4.0.3/fonts/fontawesome-webfont.eot? |
| network_url | http://fonts.gstatic.com/s/opensans/v15/mem8YaGs126MiZpBA-U1Uw.eot |
| network_url | http://www.googletagservices.com/tag/js/gpt.js |
| network_url | http://www.bittorrent.com/scripts/site/detection.js |
| network_url | http://www.googleadservices.com/pagead/conversion.js |
| network_url | http://settings.toolbar.search.conduit.com/root/CT3045275/CT3045275 |
| network_url | http://appsmetadata.toolbar.conduit-services.com/?ctid=CT3045275 |
| network_url | http://clientlog.users.conduit.com/ |
| network_url | http://www.bittorrent.com/scripts/site/respond.min.js?1371775856 |
| network_url | http://html5shiv.googlecode.com/svn/trunk/html5.js |
| network_url | http://cdn.optimizely.com/js/50136351.js |
| network_url | http://storage.stgbssint.com/75/304/CT3045275/Images/634220815653506250.png |
| network_url | http://storage.stgbssint.com/images/searchengines/go_btn_new.gif |
| network_url | http://storage.stgbssint.com/MarketPlace/93/ce3/93951332-f9a7-4af7-af02-17ec3d749ce3/Appearance/634159521796627506_24x24.png |
| network_url | http://storage.stgbssint.com/92/279/CT2790392/Images/634220879921318750.png |
| network_url | http://storage.stgbssint.com/75/304/CT3045275/images/634818561434829991_24PX.png |
| network_url | http://storage.stgbssint.com/75/304/CT3045275/Images/634225281783662500.png |
| network_url | http://storage.stgbssint.com/92/279/CT2790392/Images/634225278165850000.png |
| network_url | http://storage.stgbssint.com/92/279/CT2790392/Images/634225280526593750.png |
| network_url | http://storage.stgbssint.com/92/279/CT2790392/Images/634225279692725000.png |
| network_url | http://storage.stgbssint.com/92/279/CT2790392/Images/634225280304131250.png |
| network_url | http://storage.stgbssint.com/92/279/CT2790392/Images/634225281436162500.png |
| network_url | http://storage.stgbssint.com/92/279/CT2790392/Images/634225280643975000.png |
| network_url | http://storage.stgbssint.com/92/279/CT2790392/Images/634225284383662500.png |
| network_url | http://storage.stgbssint.com/92/279/CT2790392/Images/634225284881631250.png |
| network_url | http://storage.stgbssint.com/92/279/CT2790392/Images/634225279948156250.png |
| network_url | http://storage.stgbssint.com/92/279/CT2790392/Images/634225287181631250.png |
| network_url | http://storage.stgbssint.com/92/279/CT2790392/Images/634225287547412500.png |
| network_url | http://storage.stgbssint.com/75/304/CT3045275/Images/634244833256762500.png |
| network_url | http://storage.stgbssint.com/75/304/CT3045275/Images/634226713903631250.png |
| network_url | http://contextmenu.toolbar.conduit-services.com/?name=Toolbar&locale=EB_LOCALE&ctid=CT3045275&UM=UM_UNINSTALL_ID |
| network_url | http://contextmenu.toolbar.conduit-services.com/?name=SharedApps&locale=EB_LOCALE&ctid=CT3045275 |
| network_url | http://contextmenu.toolbar.conduit-services.com/?name=OtherApps&locale=EB_LOCALE&ctid=CT3045275 |
| network_url | http://storage.stgbssint.com/images/searchengines/search_icon.gif |
| network_url | http://storage.stgbssint.com/images/SearchEngines/images_search.gif |
| network_url | http://storage.stgbssint.com/images/SearchEngines/video.gif |
| network_url | http://contextmenu.toolbar.conduit-services.com/?name=GottenApps&locale=EB_LOCALE&ctid=CT3045275 |
| network_url | http://storage.stgbssint.com/images/SearchEngines/news_icon.gif |
| network_url | http://storage.stgbssint.com/images/SearchEngines/tfd.gif |
| network_url | http://storage.stgbssint.com/images/searchengines/softonic.gif |
| network_url | http://storage.stgbssint.com/images/main_menu_upgrade.gif |
| network_url | http://storage.stgbssint.com/bankImages/ConduitEngine/ContextMenu/LikeIcon.png |
| network_url | http://storage.stgbssint.com/images/main_menu_help.gif |
| network_url | http://storage.stgbssint.com/images/main_menu_privacy.gif |
| network_url | http://storage.stgbssint.com/images/main_menu_home_page.gif |
| network_url | http://storage.stgbssint.com/images/main_menu_about.gif |
| network_url | http://storage.stgbssint.com/images/main_menu_contact.gif |
| network_url | http://storage.stgbssint.com/images/eula.png |
| network_url | http://tbclient.tbccint.com/plugins/pricegong/Download/{5E1360DC-8FA8-40df-A8CD-FC3831B3634B}.cpi |
| network_url | http://storage.stgbssint.com/images/main_menu_options.gif |
| network_url | http://storage.stgbssint.com/images/main_menu_shrink.gif |
| network_url | http://storage.stgbssint.com/images/main_menu_clear_history.gif |
| network_url | http://storage.stgbssint.com/images/main_menu_refresh.gif |
| network_url | http://storage.stgbssint.com/images/Menu/uninstall-icon.png |
| network_url | http://emailnotifier.services.conduit.com/MailProvider/MailProvidersServices.asmx/GetMailProvidersInfo |
| network_url | http://storage.stgbssint.com/ps/searchmod/embedded.html |
| network_url | http://rss.cnn.com/rss/cnn_latest.rss |
| network_url | http://toolbarstats.s3.amazonaws.com/stats_dyn.html?tbv=1&tbn=0 |
| network_url | http://storage.Conduit.com/bankImages/ConduitEngine/ContextMenu/More.png |
| network_url | http://storage.Conduit.com/bankImages/ConduitEngine/ContextMenu/LikeIcon.png |
| network_url | http://storage.Conduit.com/bankImages/ConduitEngine/ContextMenu/Upgrade.png |
| network_url | http://storage.Conduit.com/bankImages/ConduitEngine/ContextMenu/Browse.png |
| network_url | http://storage.Conduit.com/bankImages/ConduitEngine/ContextMenu/Options.png |
| network_url | http://storage.Conduit.com/bankImages/ConduitEngine/ContextMenu/Refresh.png |
| network_url | http://weather.tbccint.com/weatherrequest.ctp?type=search&platform=IE&source=1&ctid=CT3045275&octid=CT3045275&locale=en&cityname=ebifeellucky |
| network_url | http://storage.Conduit.com/bankImages/ConduitEngine/ContextMenu/Hide.png |
| network_url | http://storage.Conduit.com/bankImages/ConduitEngine/ContextMenu/Privacy.png |
| network_url | http://storage.Conduit.com/bankImages/ConduitEngine/ContextMenu/About.png |
| network_url | http://storage.Conduit.com/bankImages/ConduitEngine/ContextMenu/Contact.png |
| network_url | http://storage.Conduit.com/bankImages/ConduitEngine/ContextMenu/MoreFromPublisher.png |
| network_url | http://users.conduit.com/iis2ebs.asp |
| network_url | http://api.conduit.com/BrowserCompApi.js |
| network_url | http://login.toolbar.conduit-services.com/Login.ashx |
| network_url | http://crl.geotrust.com/crls/secureca.crl |
| network_url | http://g.symcd.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSxtDkXkBa3l3lQEfFgudSiPNvt7gQUAPkqw0GRtsnCuD5V8sCXEROgByACEAEAISWIsPpZp3fvBXtmJ98%3D |
| network_url | http://newtab.conduit-hosting.com/newtab/?ctid=CT3045275&UM=UM_ID |
| network_url | http://ocsp.pki.goog/gsr2/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBTgXIsxbvr2lBkPpoIEVRE6gHlCnAQUm%2BIHV2ccHsBqBt5ZtJot39wZhi4CDQHjqTAc%2FHIGOD%2BaUx0%3D |
| network_url | http://www.google-analytics.com/ga.js |
| network_url | http://clients1.google.com/ocsp/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBTy4Gr5hYodjXCbSRkjeqm1Gih%2BZAQUSt0GFhu89mi1dvWBtrtiGrpagS8CCCl7eXoFMPpY |
| network_url | http://ocsp.pki.goog/GTSGIAG3/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBT27bBjYjKBmjX2jXWgnQJKEapsrQQUd8K4UJpndnaxLcKG0IOgfqZ%2BuksCCAqPCnhmlE7t |
| network_url | http://crl.pki.goog/GTSGIAG3.crl |
| network_url | http://api.search.conduit.com/Settings/?ctid=CT3045275&um=UM_ID |
| network_url | http://counting.usage.toolbar.conduit-services.com/usage.ashx |
| network_url | http://tracking.usage.app.conduit-services.com/FirstTime.ashx?current=New |
| network_url | http://settings.pricegong.com/settings.ashx?bt=ie&bv=8.0.7601.17514&os=6.1_Service%20Pack%201&defbt=ff&pver=1&app=PriceGong&cver=3.6.12&pglv=&cnum=20503A4E-080027CB305F&unum=8B4736B7-0F0F-4CDB-AD72-8751D2A6FEBA&disid=cndt&subdisid=CT3045275&tbn=BitTorrentBar2&cdate=&ct=&ug=&cxt=2&impr=5&&ts=0&inst=0&snz=0&du=0&zs=1 |
| network_url | http://clientlog.users.tbccint.com/ClientDiagnostics.asmx/ReportDiagnosticsEvent |
| network_url | http://b.scorecardresearch.com/beacon.js |
| network_url | http://static.bitmedianetwork.com/ados.js |
| network_url | http://www.bittorrent.com/images/logo/logo.png |
| network_url | http://www.bittorrent.com/images/logo/bt_pro.png |
| network_url | http://www.bittorrent.com/scripts/frog/b2.js?1469053878 |
| network_url | http://www.bittorrent.com/images/site/ui_divider.gif |
| network_url | http://www.bittorrent.com/scripts/frog/vendor/jquery.vide.min.js? |
| network_url | http://www.bittorrent.com/scripts/site/retina-1.1.0.min.js |
| network_url | http://www.bittorrent.com/scripts/frog/frog.js?1488849741 |
| network_url | http://www.bittorrent.com/scripts/tracking.js |
| network_url | http://www.bittorrent.com/images/logo/bt_now.png |
| network_url | http://edge.quantserve.com/quant.js |
| network_url | http://www.bittorrent.com/scripts/site/jquery.colorbox-min.js |
| network_url | http://engine.bitmedianetwork.com/ados?t=1523632575922&request={"Placements":[{"A":5682,"S":50614,"D":"azk78385","ATA":[4,925],"Z":[57118],"Properties":{"x-index-domain":"bitmedianetwork.com"}}],"Keywords":"undefined","Referrer":"","IsAsync":true} |
| network_url | http://b.scorecardresearch.com/b?c1=2&c2=17330952&ns__t=1523632575940&ns_c=windows-1252&ns_if=1&cv=3.1&c8=Download%20-%20BitTorrent%C2%AE%20-%20Delivering%20the%20World%E2%80%99s%20Content&c7=http%3A%2F%2Fwww.bittorrent.com%2Fdownloads%2Finstall-complete&c9= |
| network_url | http://weather.tbccint.com/weatherrequest.ctp?type=forecast&imagetype=DEFAULT&ndays=3&locale=en&locationid=USNY0181 |
| network_url | http://pixel.quantserve.com/pixel;r=1197553828;rf=2;a=p-f87ZgUEkM-SZY;url=http%3A%2F%2Fwww.bittorrent.com%2Fdownloads%2Finstall-complete;fpan=1;fpa=P0-132630905-1523636720685;ns=0;ce=1;cm=;ref=;je=1;sr=800x600x32;enc=n;dst=1;et=1523636720667;tzo=-180;ogl=url.http%3A%2F%2Fwww%252Ebittorrent%252Ecom%2Fdownloads%2Finstall-complete%2Ctype.website%2Ctitle.Download%20-%20BitTorrent%C2%AE%20-%20Delivering%20the%20World%E2%80%99s%20Content%2Cdescription.Download%20the%20official%20BitTorrent%C2%AE%20torrent%20client%20for%20Windows%20or%20Mac%E2%80%94from%20the%20inv%2Cimage.http%3A%2F%2Fwww%252Ebittorrent%252Ecom%2Fimages%2Flogo%2Fbtlogo%252Ejpg |
| network_url | http://www.google-analytics.com/__utm.gif?utmwv=5.7.1&utms=1&utmn=52160543&utmhn=storage.stgbssint.com&utmt=event&utme=5(User_State*NU_After_Feb01)&utmcs=utf-8&utmsr=800x600&utmvp=1x26&utmsc=32-bit&utmul=en-us&utmje=1&utmfl=20.0%20r0&utmdt=Search%20App%20-%20Embedded&utmhid=951010623&utmr=-&utmp=%2Fps%2Fsearchmod%2Fembedded.html&utmht=1523641505354&utmac=UA-38050659-1&utmcc=__utma%3D1.604918213.1523620961.1523620961.1523620961.1%3B%2B__utmz%3D1.1523620961.1.1.utmcsr%3D(direct)%7Cutmccn%3D(direct)%7Cutmcmd%3D(none)%3B&utmjid=&utmu=4BAAAAAAAAAAAAAAAAAAAAAE~ |
| network_url | http://www.bittorrent.com/faviconNew.ico |
| network_url | http://www.bittorrent.com/images/colorbox/cancel.png |
| network_url | http://feeds.reuters.com/reuters/topNews |
| network_url | http://rss.news.yahoo.com/rss/world |
| network_url | http://news.google.nl/news?pz=1&cf=all&ned=nl_nl&hl=nl&topic=h&num=3&output=rss |
| network_url | http://news.google.nl/news?cf=all&ned=us&hl=en&topic=h&num=3&output=rss |
| network_url | http://feeds.news.com.au/public/rss/2.0/news_breaking_news_32.xml |
| network_url | http://rss.cbc.ca/lineup/latest.xml |
| network_url | http://newsrss.bbc.co.uk/rss/newsonline_world_edition/front_page/rss.xml |
| network_url | http://www.thesun.co.uk/sol/homepage/feeds/rss/article312900.ece |
| network_url | http://worldpress.org/feeds/topstories.xml |
| network_url | http://news.google.nl/news/headlines |
| network_url | http://news.google.nl/news?cf=all&ned=fr&hl=fr&topic=h&num=3&output=rss |
| network_url | http://news.yahoo.com/rss/world |
| network_url | http://feeds.feedburner.com/newscomaubreakingndm |
| network_url | http://feeds.bbci.co.uk/news/rss.xml?edition=int |
| network_url | http://www.cbc.ca/cmlink/rss-latest |
| network_url | http://clients1.google.com/ocsp/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBTy4Gr5hYodjXCbSRkjeqm1Gih%2BZAQUSt0GFhu89mi1dvWBtrtiGrpagS8CCDdf%2FhHl4xa%2B |
| network_url | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEATh56TcXPLzbcArQrhdFZ8%3D |
| network_url | http://ieupdate.tbccint.com/ver6.18.2.72/tbedrs.dll |
| network_url | http://crl.globalsign.net/primobject.crl |
| network_url | http://servicemap.tbccint.com/Toolbarservice |
| network_url | http://search.conduit.com/favicon.ico |
| network_url | http://usage.toolbar.tbccint.com/ToolbarUsage.ashx |
| network_url | http://toolbar-ie-updater.tbccint.com/update/?productId=TBUpdaterLogic&ver=0.0.0.0&itemId=7b13ec3e-999a-4b70-b9cb-2617b8323822 |
| network_url | http://contextmenu.toolbar.conduit-services.com/?name=Toolbar&locale=en&ctid=CT3045275&UM=UM_UNINSTALL_ID |
| network_url | http://contextmenu.toolbar.conduit-services.com/?name=SharedApps&locale=en&ctid=CT3045275 |
| network_url | http://contextmenu.toolbar.conduit-services.com/?name=OtherApps&locale=en&ctid=CT3045275 |
| network_url | http://contextmenu.toolbar.conduit-services.com/?name=GottenApps&locale=en&ctid=CT3045275 |
| network_url | http://tb-service.databssint.com/ |
| network_url | http://www.msftncsi.com/ncsi.txt |
| network_url | http://storage.stgbssint.com/IEBackgroundContainer/TBUpdaterLogic/4.0.0.2/TBUpdaterLogic.dll |
| network_url | http://www.bing.com/favicon.ico |
Network activity contains more than one unique useragent. Show sources
| Process | rundll32.exe |
| User-Agent | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) |
| Process | iexplore.exe |
| User-Agent | Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) |
| Process | iexplore.exe |
| User-Agent | Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; CT3045275_ACTID_CT3045275_6.8.11.4) |
| Process | iexplore.exe |
| User-Agent |
Generates some ICMP traffic
Stealing of Sensitive Information
Attempts to create or modify a Browser Helper Object Show sources
| registry_write | HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\(Default) |
Steals private information from local Internet browsers Show sources
| file_read | C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\user@social.tbccint[1].txt |
| file_read | C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\user@apps.cpccint[1].txt |
| file_read | C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\user@social.conduit[1].txt |
| file_read | C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\user@services.apps.conduit[1].txt |
| file_read | C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\user@services.apps.tbccint[1].txt |
| file_read | C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\user@apps.tbccint[1].txt |
| file_read | C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\user@search.conduit[3].txt |
| file_read | C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\user@apps.conduit[1].txt |
Attempts to modify proxy settings
Spam, Unwanted Advertisements and Ransom Demands
Exhibits possible ransomware file modification behavior Show sources
| file_modifications | Performs 77 file moves indicative of a potential file encryption process |
| appends_new_extension | Appends a new file extension to multiple modified files |
| new_appended_file_extension | .png |
| new_appended_file_extension | .gif |
| new_appended_file_extension | .xml |
Hooking and other Techniques for Hiding Protection
Creates RWX memory Show sources
| injection_rwx_memory | 0x00000040, NtAllocateVirtualMemory or VirtualProtectEx |
A named pipe was used for inter-process communication Show sources
| Creates | iexplore.exe(2252) Created Named Pipe GadgetsManagerPipeServerCT3045275_HIGH |
| Interacts | iexplore.exe(2252) writes/reads data to Named Pipe GadgetsManagerPipeServerCT3045275_HIGH |
| Interacts | iexplore.exe(1708) writes/reads data to Named Pipe GadgetsManagerPipeServerCT3045275_HIGH |
Code injection with CreateRemoteThread in a remote process Show sources
| code_injection | iexplore.exe(1708) -> iexplore.exe(2392) |
Persistence and Installation Behavior
Installs itself for autorun at Windows startup Show sources
| service_create | TBSrv |
| service_create | C:\Program Files (x86)\Tbccint\ToolbarService\ToolbarService.exe |
| registry_write | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\BackgroundContainerV2 |
| data | "C:\Windows\SysWOW64\Rundll32.exe" "C:\Users\user\AppData\Local\Conduit\BackgroundContainer\BackgroundContainer.dll",DllRun |
Malware Analysis System Evasion
Mimics the system's user agent string for its own requests Show sources
| stealth_mimics | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) |
Possible date expiration check, exits too soon after checking local time Show sources
| api_process_name | iexplore.exe, PID 1708 |
A process attempted to delay the analysis task. Show sources
| api_process_name | ToolbarService.exe tried to sleep 309 seconds, actually delayed analysis time by 0 seconds |
Creates a hidden or system file Show sources
| file_write | C:\Users\user\AppData\Roaming\Microsoft\Windows\IETldCache\Low |
Clears web history Show sources
| file_delete | C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\user@services.apps.conduit[2].txt |
| file_delete | C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\user@apps.conduit[2].txt |
| file_delete | C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\user@social.tbccint[1].txt |
| file_delete | C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\user@apps.tbccint[1].txt |
| file_delete | C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\user@apps.cpccint[1].txt |
| file_delete | C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\user@social.conduit[1].txt |
| file_delete | C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\user@services.apps.conduit[1].txt |
| file_delete | C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\user@scorecardresearch[1].txt |
| file_delete | C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\user@social.tbccint[2].txt |
| file_delete | C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\user@storage.stgbssint[1].txt |
| file_delete | C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\user@apps.cpccint[2].txt |
| file_delete | C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\user@apps.conduit[1].txt |
| file_delete | C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\user@storage.stgbssint[2].txt |
| file_delete | C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\user@apps.tbccint[2].txt |
| file_delete | C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\user@social.conduit[2].txt |
| file_delete | C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\user@search.conduit[3].txt |
| file_delete | C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\user@services.apps.tbccint[1].txt |
| file_delete | C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\user@search.conduit[1].txt |
| file_delete | C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\user@services.apps.tbccint[2].txt |