Edit tour

Windows Analysis Report
NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE

Overview

General Information

Sample name:	NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE
Analysis ID:	1505544
MD5:	b3f46ad365e186080ca18bcec6437be9
SHA1:	3c0b8f485cce7ab2a439f72f12a8eb15e5a9a1b8
SHA256:	42d6efd448aaa7f28f8801a8dc83d91d30b5a7a1c3b9566f82e1348b1c98f1cc
Infos:

Detection

AgentTesla, RedLine

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Antivirus detection for dropped file

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Suspicious Double Extension File Execution

Yara detected AgentTesla

Yara detected RedLine Stealer

Creates files in the system32 config directory

Drops executable to a common third party application directory

Initial sample is a PE file and has a suspicious name

Installs a global keyboard hook

Machine Learning detection for dropped file

Maps a DLL or memory area into another process

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Switches to a custom stack to bypass stack traces

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Uses an obfuscated file name to hide its real file extension (double extension)

Uses schtasks.exe or at.exe to add and modify task schedules

Writes data at the end of the disk (often used by bootkits to hide malicious code)

Writes to foreign memory regions

Allocates memory with a write watch (potentially for evading sandboxes)

Connects to many different domains

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a window with clipboard capturing capabilities

Creates files inside the system directory

Detected TCP or UDP traffic on non-standard ports

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Enables debug privileges

Enables driver privileges

Enables security privileges

Executes massive DNS lookups (> 100)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Queries disk information (often used to detect virtual machines)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sigma detected: Execution of Suspicious File Type Extension

Sigma detected: Powershell Defender Exclusion

Sigma detected: Startup Folder File Write

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Outbound SMTP Connections

Sigma detected: Suspicious Schtasks From Env Var Folder

Sigma detected: Uncommon Svchost Parent Process

Spawns drivers

Stores files to the Windows start menu directory

Uses 32bit PE files

Uses SMTP (mail sending)

Uses a known web browser user agent for HTTP communication

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64_ra

NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE (PID: 2860 cmdline: "C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE" MD5: B3F46AD365E186080CA18BCEC6437BE9)

svchost.exe (PID: 7156 cmdline: "C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)

NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE (PID: 2648 cmdline: "C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE" MD5: B3F46AD365E186080CA18BCEC6437BE9)

svchost.exe (PID: 6644 cmdline: "C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)

server_BTC.exe (PID: 6696 cmdline: "C:\Users\user\AppData\Local\Temp\server_BTC.exe" MD5: 50D015016F20DA0905FD5B37D7834823)

powershell.exe (PID: 5528 cmdline: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi' MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 72 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 6252 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

schtasks.exe (PID: 6780 cmdline: "schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe" /st 07:11 /du 23:59 /sc daily /ri 1 /f MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 6300 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

TrojanAIbot.exe (PID: 7028 cmdline: "C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe" MD5: 50D015016F20DA0905FD5B37D7834823)

cmd.exe (PID: 7160 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp8F22.tmp.cmd"" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 4792 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

timeout.exe (PID: 2992 cmdline: timeout 6 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)

neworigin.exe (PID: 6724 cmdline: "C:\Users\user\AppData\Local\Temp\neworigin.exe" MD5: D6A4CF0966D24C1EA836BA9A899751E5)

build.exe (PID: 6756 cmdline: "C:\Users\user\AppData\Local\Temp\build.exe" MD5: 3B6501FEEF6196F24163313A9F27DBFD)

armsvc.exe (PID: 3348 cmdline: "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe" MD5: F39506F272DA6B0BC387C7CBAD280886)

alg.exe (PID: 6968 cmdline: C:\Windows\System32\alg.exe MD5: F84BEAF5F41135B516138FDC243473A6)

AppVStrm.sys (PID: 4 cmdline: MD5: BDA55F89B69757320BC125FF1CB53B26)

AppvVemgr.sys (PID: 4 cmdline: MD5: E70EE9B57F8D771E2F4D6E6B535F6757)

AppvVfs.sys (PID: 4 cmdline: MD5: 2CBABD729D5E746B6BD8DC1B4B4DB1E1)

AppVClient.exe (PID: 7028 cmdline: C:\Windows\system32\AppVClient.exe MD5: 0AC16BE008C6FDB696C38E43DF75E089)

FXSSVC.exe (PID: 7100 cmdline: C:\Windows\system32\fxssvc.exe MD5: 3D35EB193F11AD95F189AC810504F604)

maintenanceservice.exe (PID: 6196 cmdline: "C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe" MD5: 502E8F0D8FA0EF3F29A3C4AD35CB2F04)

uhssvc.exe (PID: 4252 cmdline: "C:\Program Files\Microsoft Update Health Tools\uhssvc.exe" MD5: 08EDFE0C89809B5C0D3307E453AC5165)

svchost.exe (PID: 6372 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://0xmrmagnezi.github.io/malware%20analysis/AgentTesla/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Name	Description	Attribution	Blogpost URLs	Link
RedLine Stealer	RedLine Stealer is a malware available on underground forums for sale apparently as a standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://apophis133.medium.com/redline-technical-analysis-report-5034e16ad152 https://asec.ahnlab.com/en/30445/ https://asec.ahnlab.com/en/35981/ https://asec.ahnlab.com/ko/25837/	https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Temp\neworigin.exe	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
C:\Users\user\AppData\Local\Temp\neworigin.exe	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
C:\Users\user\AppData\Local\Temp\neworigin.exe	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3587b:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x358ed:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x35977:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x35a09:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x35a73:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x35ae5:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x35b7b:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x35c0b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
C:\Users\user\AppData\Local\Temp\build.exe	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
C:\Users\user\AppData\Local\Temp\neworigin.exe	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
C:\Users\user\AppData\Local\Temp\neworigin.exe	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
C:\Users\user\AppData\Local\Temp\neworigin.exe	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3587b:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x358ed:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x35977:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x35a09:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x35a73:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x35ae5:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x35b7b:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x35c0b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
C:\Users\user\AppData\Local\Temp\build.exe	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
C:\Users\user\AppData\Local\Temp\neworigin.exe	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
C:\Users\user\AppData\Local\Temp\neworigin.exe	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
C:\Users\user\AppData\Local\Temp\neworigin.exe	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3587b:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x358ed:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x35977:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x35a09:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x35a73:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x35ae5:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x35b7b:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x35c0b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
C:\Users\user\AppData\Local\Temp\build.exe	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Click to see the 7 entries

Memory Dumps

Source	Rule	Description	Author	Strings
00000010.00000002.1218270689.0000000003789000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000010.00000002.1218270689.0000000003712000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000010.00000002.1218270689.0000000003712000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000010.00000002.1218270689.0000000003712000.00000004.00000020.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x6e87b:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x6e8ed:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x6e977:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x6ea09:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x6ea73:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x6eae5:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x6eb7b:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x6ec0b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
00000013.00000000.1209788633.0000000000E42000.00000002.00000001.01000000.0000000B.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000012.00000000.1208342967.0000000000D12000.00000002.00000001.01000000.0000000A.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000012.00000000.1208342967.0000000000D12000.00000002.00000001.01000000.0000000A.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000013.00000002.1360287595.0000000003496000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000013.00000002.1360287595.0000000003496000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000012.00000002.2465149374.000000000329E000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000012.00000002.2465149374.000000000329A000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000012.00000002.2465149374.0000000003271000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000012.00000002.2465149374.0000000003271000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000012.00000002.2465149374.00000000032AF000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 9 entries

Sigma Signatures

System Summary

Sigma detected: Suspicious Double Extension File Execution

Source: Process started

Author: Florian Roth (Nextron Systems), @blu3_team (idea), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE", CommandLine: "C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE", CommandLine|base64offset|contains: , Image: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE, NewProcessName: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE, OriginalFileName: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE, ParentCommandLine: , ParentImage: , ParentProcessId: 4380, ProcessCommandLine: "C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE", ProcessId: 2860, ProcessName: NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi' , CommandLine: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi' , CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\server_BTC.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\server_BTC.exe, ParentProcessId: 6696, ParentProcessName: server_BTC.exe, ProcessCommandLine: "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi' , ProcessId: 5528, ProcessName: powershell.exe

Sigma detected: Execution of Suspicious File Type Extension

Source: Process started

Author: Max Altgelt (Nextron Systems): Data: Command: , CommandLine: , CommandLine|base64offset|contains: , Image: C:\Windows\System32\drivers\AppVStrm.sys, NewProcessName: C:\Windows\System32\drivers\AppVStrm.sys, OriginalFileName: C:\Windows\System32\drivers\AppVStrm.sys, ParentCommandLine: , ParentImage: , ParentProcessId: -1, ProcessCommandLine: , ProcessId: 4, ProcessName: AppVStrm.sys

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Startup Folder File Write

Source: File created

Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\server_BTC.exe, ProcessId: 6696, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TrojanAIbot.exe.lnk

Sigma detected: Suspicious Add Scheduled Task Parent

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe" /st 07:11 /du 23:59 /sc daily /ri 1 /f, CommandLine: "schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe" /st 07:11 /du 23:59 /sc daily /ri 1 /f, CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\server_BTC.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\server_BTC.exe, ParentProcessId: 6696, ParentProcessName: server_BTC.exe, ProcessCommandLine: "schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe" /st 07:11 /du 23:59 /sc daily /ri 1 /f, ProcessId: 6780, ProcessName: schtasks.exe

Sigma detected: Suspicious Outbound SMTP Connections

Source: Network Connection

Author: frack113: Data: DestinationIp: 51.195.88.199, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Users\user\AppData\Local\Temp\neworigin.exe, Initiated: true, ProcessId: 6724, Protocol: tcp, SourceIp: 192.168.2.16, SourceIsIpv6: false, SourcePort: 49720

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Sigma detected: Uncommon Svchost Parent Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE", CommandLine: "C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE", ParentImage: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE, ParentProcessId: 2860, ParentProcessName: NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE, ProcessCommandLine: "C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE", ProcessId: 7156, ProcessName: svchost.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: , CommandLine: , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\server_BTC.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\server_BTC.exe, ParentProcessId: 6696, ParentProcessName: server_BTC.exe, ProcessCommandLine: , ProcessId: 5528, ProcessName: powershell.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: "C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE", CommandLine: "C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE", ParentImage: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE, ParentProcessId: 2860, ParentProcessName: NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE, ProcessCommandLine: "C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE", ProcessId: 7156, ProcessName: svchost.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://pywolwnvd.biz/ibmog	Avira URL Cloud: Label: malware
Source: http://ssbzmoy.biz/gadlqtcclo	Avira URL Cloud: Label: malware
Source: http://przvgke.biz/ocfuav	Avira URL Cloud: Label: malware
Source: http://npukfztj.biz/avqaqcipoasdlbgl	Avira URL Cloud: Label: malware
Source: http://cvgrf.biz/rioeg	Avira URL Cloud: Label: malware
Source: http://knjghuig.biz/qvtcyxjgqcewj	Avira URL Cloud: Label: malware
Source: http://ssbzmoy.biz/qlyvjmdwxl	Avira URL Cloud: Label: malware
Source: http://npukfztj.biz/hshnlfiqt	Avira URL Cloud: Label: malware
Source: http://pywolwnvd.biz/dafjrbte	Avira URL Cloud: Label: malware
Source: http://lpuegx.biz/qjnvredjkanikntw	Avira URL Cloud: Label: phishing
Source: http://przvgke.biz/hea	Avira URL Cloud: Label: malware
Source: http://lpuegx.biz/wqlih	Avira URL Cloud: Label: phishing
Source: http://mnjmhp.biz/mtnqoxhnqxwi	Avira URL Cloud: Label: malware
Source: http://dlynankz.biz/oyataqebqvq	Avira URL Cloud: Label: malware
Source: http://typgfhb.biz/rqdnnkaqeymsqe	Avira URL Cloud: Label: malware
Source: http://vyome.biz/bpkaqfdvy	Avira URL Cloud: Label: malware
Source: http://qaynky.biz/soubumgu	Avira URL Cloud: Label: malware
Source: http://vrrazpdh.biz/jjv	Avira URL Cloud: Label: malware
Source: http://nqwjmb.biz/aawflokdkaaso	Avira URL Cloud: Label: malware
Source: http://oshhkdluh.biz/b	Avira URL Cloud: Label: malware
Source: http://yunalwv.biz/ieibbbqqgmrvhkh	Avira URL Cloud: Label: malware
Source: http://fwiwk.biz/ful	Avira URL Cloud: Label: malware
Source: http://gnqgo.biz/orioms	Avira URL Cloud: Label: malware
Source: http://dwrqljrr.biz/pgm	Avira URL Cloud: Label: malware
Source: http://tbjrpv.biz/iou	Avira URL Cloud: Label: malware
Source: http://ftxlah.biz/jxjcyhijmgghr	Avira URL Cloud: Label: malware
Source: http://brsua.biz/d	Avira URL Cloud: Label: malware
Source: http://ytctnunms.biz/hysug	Avira URL Cloud: Label: malware
Source: http://fwiwk.biz/l	Avira URL Cloud: Label: malware
Source: http://iuzpxe.biz/kybt	Avira URL Cloud: Label: malware
Source: http://deoci.biz/kyvgodg	Avira URL Cloud: Label: malware
Source: http://jpskm.biz/gjwgeffxixqbuh	Avira URL Cloud: Label: malware
Source: http://yauexmxk.biz/afqnwtrkmt	Avira URL Cloud: Label: malware
Source: http://jhvzpcfg.biz/dx	Avira URL Cloud: Label: malware
Source: http://xlfhhhm.biz/hdnypmld	Avira URL Cloud: Label: malware
Source: http://vcddkls.biz/iac	Avira URL Cloud: Label: malware
Source: http://ifsaia.biz/cygphrvvuwwhpqjy	Avira URL Cloud: Label: malware
Source: http://qpnczch.biz/rlifsams	Avira URL Cloud: Label: malware
Source: http://wllvnzb.biz/xurinfdw	Avira URL Cloud: Label: malware
Source: http://acwjcqqv.biz/sucofgimje	Avira URL Cloud: Label: malware
Source: http://gvijgjwkh.biz/lqycgpuam	Avira URL Cloud: Label: malware
Source: http://oflybfv.biz/umdr	Avira URL Cloud: Label: malware
Source: http://saytjshyf.biz/pjojuiupwn	Avira URL Cloud: Label: malware
Source: http://esuzf.biz/adwycgrxdylfxl	Avira URL Cloud: Label: malware
Source: http://yhqqc.biz/uilsnghvu	Avira URL Cloud: Label: malware
Source: http://bumxkqgxu.biz/e	Avira URL Cloud: Label: malware
Source: http://sxmiywsfv.biz/vahgcdxtf	Avira URL Cloud: Label: malware
Source: http://lrxdmhrr.biz/yccyodm	Avira URL Cloud: Label: malware
Source: http://yunalwv.biz/gx	Avira URL Cloud: Label: malware
Source: http://pwlqfu.biz/wfktgrobq	Avira URL Cloud: Label: malware
Source: http://zrlssa.biz/jmsidvkpax	Avira URL Cloud: Label: malware
Source: http://ecxbwt.biz/mbcjcfmxxflkpmuo	Avira URL Cloud: Label: malware
Source: http://cikivjto.biz/fnji	Avira URL Cloud: Label: malware
Source: http://htwqzczce.biz/u	Avira URL Cloud: Label: malware
Source: http://pectx.biz/vdswmyn	Avira URL Cloud: Label: malware
Source: http://gcedd.biz/mtvhnvlftyscrey	Avira URL Cloud: Label: phishing
Source: http://jlqltsjvh.biz/umjblkbuugg	Avira URL Cloud: Label: malware
Source: http://rynmcq.biz/lrpwhcqxkh	Avira URL Cloud: Label: malware
Source: http://warkcdu.biz/qgyptpaacdeujk	Avira URL Cloud: Label: malware
Source: http://xyrgy.biz/huutba	Avira URL Cloud: Label: malware
Source: http://jdhhbs.biz/bduojpmqwclgr	Avira URL Cloud: Label: malware
Source: http://ecxbwt.biz/ocoeycxqebnmcofx	Avira URL Cloud: Label: malware
Source: http://jwkoeoqns.biz/saunpuqsumkr	Avira URL Cloud: Label: malware
Source: http://ywffr.biz/nkpyoqcnfxfvdsvg	Avira URL Cloud: Label: malware
Source: http://reczwga.biz/w	Avira URL Cloud: Label: malware
Source: http://fjumtfnz.biz/rvqem	Avira URL Cloud: Label: malware
Source: http://ctdtgwag.biz/qmsckions	Avira URL Cloud: Label: malware
Source: http://tnevuluw.biz/jpral	Avira URL Cloud: Label: malware
Source: http://ocsvqjg.biz/cceha	Avira URL Cloud: Label: malware
Source: http://eufxebus.biz/li	Avira URL Cloud: Label: malware
Source: http://rffxu.biz/ociacchi	Avira URL Cloud: Label: malware
Source: http://opowhhece.biz/ksosgyughs	Avira URL Cloud: Label: malware
Source: http://wxgzshna.biz/qjjv	Avira URL Cloud: Label: phishing
Source: http://kvbjaur.biz/w	Avira URL Cloud: Label: malware
Source: http://uaafd.biz/cdficgkndhspr	Avira URL Cloud: Label: malware
Source: http://damcprvgv.biz/ckgw	Avira URL Cloud: Label: malware
Source: http://rffxu.biz/nifaqe	Avira URL Cloud: Label: malware
Source: http://mgmsclkyu.biz/b	Avira URL Cloud: Label: malware
Source: http://whjovd.biz/vu	Avira URL Cloud: Label: malware
Source: http://bghjpy.biz/tqtlouxtvhvc	Avira URL Cloud: Label: malware
Source: http://wxgzshna.biz/tp	Avira URL Cloud: Label: phishing
Source: http://banwyw.biz/cfhujvjhaho	Avira URL Cloud: Label: malware
Source: http://gjogvvpsf.biz/eyi	Avira URL Cloud: Label: malware
Source: http://rrqafepng.biz/chtmfsmomhgtgs	Avira URL Cloud: Label: malware
Source: http://htwqzczce.biz/njmokryu	Avira URL Cloud: Label: malware
Source: http://hlzfuyy.biz/rngnlo	Avira URL Cloud: Label: malware
Source: http://uphca.biz/ucx	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Windows\System32\AppVClient.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Windows\System32\alg.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Avira: detection malicious, Label: HEUR/AGEN.1311721
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files\Microsoft Update Health Tools\uhssvc.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files\7-Zip\7z.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files\7-Zip\7zG.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Avira: detection malicious, Label: TR/Spy.Gen8
Source: C:\Windows\System32\AppVClient.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Users\user\AppData\Local\Temp\build.exe	Avira: detection malicious, Label: TR/AD.RedLineSteal.dzdht
Source: C:\Windows\System32\alg.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files\7-Zip\Uninstall.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files\7-Zip\7zFM.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\AutoIt3\Au3Info.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files\7-Zip\7z.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files\7-Zip\7zG.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files\7-Zip\Uninstall.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files\7-Zip\7zFM.exe	Avira: detection malicious, Label: W32/Infector.Gen

Multi AV Scanner detection for domain / URL

Source: pywolwnvd.biz	Virustotal: Detection: 12%	Perma Link
Source: npukfztj.biz	Virustotal: Detection: 10%	Perma Link
Source: ssbzmoy.biz	Virustotal: Detection: 11%	Perma Link
Source: lpuegx.biz	Virustotal: Detection: 11%	Perma Link
Source: cvgrf.biz	Virustotal: Detection: 10%	Perma Link
Source: zlenh.biz	Virustotal: Detection: 10%	Perma Link
Source: przvgke.biz	Virustotal: Detection: 10%	Perma Link
Source: knjghuig.biz	Virustotal: Detection: 12%	Perma Link
Source: anpmnmxo.biz	Virustotal: Detection: 10%	Perma Link
Source: http://ssbzmoy.biz/gadlqtcclo	Virustotal: Detection: 15%	Perma Link
Source: uhxqin.biz	Virustotal: Detection: 10%	Perma Link
Source: http://pywolwnvd.biz/ibmog	Virustotal: Detection: 14%	Perma Link
Source: http://przvgke.biz/ocfuav	Virustotal: Detection: 9%	Perma Link
Source: http://knjghuig.biz/qvtcyxjgqcewj	Virustotal: Detection: 11%	Perma Link
Source: http://cvgrf.biz/rioeg	Virustotal: Detection: 12%	Perma Link
Source: http://npukfztj.biz/avqaqcipoasdlbgl	Virustotal: Detection: 14%	Perma Link
Source: http://pywolwnvd.biz/dafjrbte	Virustotal: Detection: 14%	Perma Link
Source: http://przvgke.biz/hea	Virustotal: Detection: 9%	Perma Link
Source: http://npukfztj.biz/hshnlfiqt	Virustotal: Detection: 13%	Perma Link
Source: http://ssbzmoy.biz/qlyvjmdwxl	Virustotal: Detection: 16%	Perma Link
Source: http://vyome.biz/bpkaqfdvy	Virustotal: Detection: 13%	Perma Link
Source: http://qaynky.biz/soubumgu	Virustotal: Detection: 8%	Perma Link
Source: http://nqwjmb.biz/aawflokdkaaso	Virustotal: Detection: 12%	Perma Link
Source: http://myups.biz/sem	Virustotal: Detection: 14%	Perma Link
Source: http://oshhkdluh.biz/b	Virustotal: Detection: 13%	Perma Link
Source: http://vrrazpdh.biz/jjv	Virustotal: Detection: 11%	Perma Link
Source: http://fwiwk.biz/ful	Virustotal: Detection: 13%	Perma Link
Source: http://yunalwv.biz/ieibbbqqgmrvhkh	Virustotal: Detection: 9%	Perma Link
Source: http://gytujflc.biz/jtccktxedeenfqg	Virustotal: Detection: 9%	Perma Link
Source: http://myups.biz/vsftv	Virustotal: Detection: 9%	Perma Link
Source: http://gnqgo.biz/orioms	Virustotal: Detection: 11%	Perma Link
Source: http://dwrqljrr.biz/pgm	Virustotal: Detection: 12%	Perma Link
Source: http://tbjrpv.biz/iou	Virustotal: Detection: 10%	Perma Link
Source: http://brsua.biz/d	Virustotal: Detection: 10%	Perma Link
Source: http://fwiwk.biz/l	Virustotal: Detection: 14%	Perma Link
Source: http://yauexmxk.biz/afqnwtrkmt	Virustotal: Detection: 13%	Perma Link
Source: http://jhvzpcfg.biz/dx	Virustotal: Detection: 8%	Perma Link
Source: http://qpnczch.biz/rlifsams	Virustotal: Detection: 14%	Perma Link
Source: http://gvijgjwkh.biz/lqycgpuam	Virustotal: Detection: 12%	Perma Link
Source: http://esuzf.biz/adwycgrxdylfxl	Virustotal: Detection: 10%	Perma Link
Source: http://acwjcqqv.biz/sucofgimje	Virustotal: Detection: 12%	Perma Link
Source: http://ifsaia.biz/cygphrvvuwwhpqjy	Virustotal: Detection: 10%	Perma Link
Source: http://vcddkls.biz/iac	Virustotal: Detection: 8%	Perma Link
Source: http://saytjshyf.biz/pjojuiupwn	Virustotal: Detection: 11%	Perma Link
Source: http://sxmiywsfv.biz/vahgcdxtf	Virustotal: Detection: 12%	Perma Link
Source: http://lrxdmhrr.biz/yccyodm	Virustotal: Detection: 14%	Perma Link
Source: http://yunalwv.biz/gx	Virustotal: Detection: 13%	Perma Link
Source: http://htwqzczce.biz/u	Virustotal: Detection: 13%	Perma Link
Source: http://pectx.biz/vdswmyn	Virustotal: Detection: 7%	Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\build.exe	ReversingLabs: Detection: 91%
Source: C:\Users\user\AppData\Local\Temp\build.exe	Virustotal: Detection: 89%	Perma Link
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	ReversingLabs: Detection: 78%
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Virustotal: Detection: 63%	Perma Link
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	ReversingLabs: Detection: 79%
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Virustotal: Detection: 73%	Perma Link

Multi AV Scanner detection for submitted file

Source: NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE

Virustotal: Detection: 71%

Perma Link

Machine Learning detection for dropped file

Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Joe Sandbox ML: detected
Source: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	Joe Sandbox ML: detected
Source: C:\Windows\System32\AppVClient.exe	Joe Sandbox ML: detected
Source: C:\Windows\System32\alg.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Joe Sandbox ML: detected
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Joe Sandbox ML: detected
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe	Joe Sandbox ML: detected
Source: C:\Program Files\Microsoft Update Health Tools\uhssvc.exe	Joe Sandbox ML: detected
Source: C:\Program Files\7-Zip\7z.exe	Joe Sandbox ML: detected
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe	Joe Sandbox ML: detected
Source: C:\Program Files\7-Zip\7zG.exe	Joe Sandbox ML: detected
Source: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Joe Sandbox ML: detected
Source: C:\Windows\System32\AppVClient.exe	Joe Sandbox ML: detected
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe	Joe Sandbox ML: detected
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe	Joe Sandbox ML: detected
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\build.exe	Joe Sandbox ML: detected
Source: C:\Windows\System32\alg.exe	Joe Sandbox ML: detected
Source: C:\Program Files\7-Zip\Uninstall.exe	Joe Sandbox ML: detected
Source: C:\Program Files\7-Zip\7zFM.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Joe Sandbox ML: detected
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Au3Info.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Joe Sandbox ML: detected
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	Joe Sandbox ML: detected
Source: C:\Program Files\7-Zip\7z.exe	Joe Sandbox ML: detected
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe	Joe Sandbox ML: detected
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Joe Sandbox ML: detected
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe	Joe Sandbox ML: detected
Source: C:\Program Files\7-Zip\7zG.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Joe Sandbox ML: detected
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Joe Sandbox ML: detected
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe	Joe Sandbox ML: detected
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Joe Sandbox ML: detected
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Joe Sandbox ML: detected
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe	Joe Sandbox ML: detected
Source: C:\Program Files\7-Zip\Uninstall.exe	Joe Sandbox ML: detected
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	Joe Sandbox ML: detected
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	Joe Sandbox ML: detected
Source: C:\Program Files\7-Zip\7zFM.exe	Joe Sandbox ML: detected

Source: NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.16:49714 version: TLS 1.2

Source: C:\Windows\System32\alg.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\
Source: C:\Windows\System32\alg.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\UIThemes\
Source: C:\Windows\System32\alg.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\
Source: C:\Windows\System32\alg.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\
Source: C:\Windows\System32\alg.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\
Source: C:\Windows\System32\alg.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\

Source: unknown

Network traffic detected: DNS query count 101

Source: global traffic	TCP traffic: 192.168.2.16:49716 -> 212.162.149.53:2049
Source: global traffic	TCP traffic: 192.168.2.16:49720 -> 51.195.88.199:587

Source: global traffic

DNS traffic detected: number of DNS queries: 101

Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org

Source: global traffic

TCP traffic: 192.168.2.16:49720 -> 51.195.88.199:587

Source: global traffic	HTTP traffic detected: POST /ibmog HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: pywolwnvd.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 868
Source: global traffic	HTTP traffic detected: POST /lutyxpgtxicgb HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: pywolwnvd.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /gadlqtcclo HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ssbzmoy.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /dafjrbte HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: pywolwnvd.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 868
Source: global traffic	HTTP traffic detected: POST /qlyvjmdwxl HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ssbzmoy.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 868
Source: global traffic	HTTP traffic detected: POST /rioeg HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: cvgrf.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /hshnlfiqt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: npukfztj.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /avqaqcipoasdlbgl HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: npukfztj.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /ocfuav HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: przvgke.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /hea HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: przvgke.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /qvtcyxjgqcewj HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: knjghuig.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /qjnvredjkanikntw HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: lpuegx.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /wqlih HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: lpuegx.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /kwejxnusmbg HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: vjaxhpbji.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /lsedv HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: vjaxhpbji.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /hdnypmld HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: xlfhhhm.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /cygphrvvuwwhpqjy HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ifsaia.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /pjojuiupwn HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: saytjshyf.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /iac HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: vcddkls.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /ful HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: fwiwk.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /l HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: fwiwk.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /iou HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: tbjrpv.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /kyvgodg HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: deoci.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /vm HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: gytujflc.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /jtccktxedeenfqg HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: gytujflc.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /soubumgu HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: qaynky.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /e HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: bumxkqgxu.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /pgm HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: dwrqljrr.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /aawflokdkaaso HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: nqwjmb.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /hysug HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ytctnunms.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /sem HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: myups.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /vsftv HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: myups.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /b HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: oshhkdluh.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /gx HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: yunalwv.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /ieibbbqqgmrvhkh HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: yunalwv.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /gjwgeffxixqbuh HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: jpskm.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /yccyodm HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: lrxdmhrr.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /xurinfdw HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: wllvnzb.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /orioms HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: gnqgo.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /dx HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: jhvzpcfg.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /sucofgimje HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: acwjcqqv.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /bpkaqfdvy HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: vyome.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /afqnwtrkmt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: yauexmxk.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /kybt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: iuzpxe.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /vahgcdxtf HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: sxmiywsfv.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /jjv HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: vrrazpdh.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /jxjcyhijmgghr HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ftxlah.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /rqdnnkaqeymsqe HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: typgfhb.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /adwycgrxdylfxl HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: esuzf.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /lqycgpuam HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: gvijgjwkh.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /rlifsams HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: qpnczch.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /d HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: brsua.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /oyataqebqvq HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: dlynankz.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /umdr HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: oflybfv.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /uilsnghvu HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: yhqqc.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /mtnqoxhnqxwi HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: mnjmhp.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /ksosgyughs HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: opowhhece.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /bduojpmqwclgr HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: jdhhbs.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /b HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: mgmsclkyu.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /qgyptpaacdeujk HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: warkcdu.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /mtvhnvlftyscrey HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: gcedd.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /saunpuqsumkr HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: jwkoeoqns.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /essg HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: xccjj.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /fwgtnqaffg HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: hehckyov.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /lrpwhcqxkh HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: rynmcq.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /cdficgkndhspr HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: uaafd.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /li HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: eufxebus.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /wfktgrobq HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: pwlqfu.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /chtmfsmomhgtgs HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: rrqafepng.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /qmsckions HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ctdtgwag.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /jpral HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: tnevuluw.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /vu HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: whjovd.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /kaxprjwfiybl HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: gjogvvpsf.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /eyi HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: gjogvvpsf.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /w HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: reczwga.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /tqtlouxtvhvc HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: bghjpy.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /ckgw HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: damcprvgv.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /cceha HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ocsvqjg.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /nkpyoqcnfxfvdsvg HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ywffr.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /ocoeycxqebnmcofx HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ecxbwt.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /mbcjcfmxxflkpmuo HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ecxbwt.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /vdswmyn HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: pectx.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /jdxpe HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: zyiexezl.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /cfhujvjhaho HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: banwyw.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /tp HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: wxgzshna.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /qjjv HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: wxgzshna.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /jmsidvkpax HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: zrlssa.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /umjblkbuugg HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: jlqltsjvh.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /huutba HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: xyrgy.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /u HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: htwqzczce.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /njmokryu HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: htwqzczce.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /w HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: kvbjaur.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /ucx HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: uphca.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /rvqem HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: fjumtfnz.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /rngnlo HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: hlzfuyy.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /ociacchi HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: rffxu.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /nifaqe HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: rffxu.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /fnji HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: cikivjto.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /bsjqpgxufr HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: qncdaagct.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /kuxiqsojkmip HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: shpwbsrw.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /lrnrnpb HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: shpwbsrw.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /pgikxpkq HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: cjvgcl.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /llhapbqwborcds HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: neazudmrq.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /suw HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: pgfsvwx.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /pcsirhcwmnroqpc HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: aatcwo.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /qakf HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: kcyvxytog.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /gtcuyk HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: nwdnxrd.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /pjgdeytc HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ereplfx.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic	HTTP traffic detected: POST /imppcncbrvlqyyq HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ptrim.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778

Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53
Source: unknown	TCP traffic detected without corresponding DNS query: 212.162.149.53

Source: global traffic	DNS traffic detected: DNS query: pywolwnvd.biz
Source: global traffic	DNS traffic detected: DNS query: ssbzmoy.biz
Source: global traffic	DNS traffic detected: DNS query: cvgrf.biz
Source: global traffic	DNS traffic detected: DNS query: npukfztj.biz
Source: global traffic	DNS traffic detected: DNS query: api.ipify.org
Source: global traffic	DNS traffic detected: DNS query: przvgke.biz
Source: global traffic	DNS traffic detected: DNS query: s82.gocheapweb.com
Source: global traffic	DNS traffic detected: DNS query: zlenh.biz
Source: global traffic	DNS traffic detected: DNS query: knjghuig.biz
Source: global traffic	DNS traffic detected: DNS query: uhxqin.biz
Source: global traffic	DNS traffic detected: DNS query: anpmnmxo.biz
Source: global traffic	DNS traffic detected: DNS query: lpuegx.biz
Source: global traffic	DNS traffic detected: DNS query: vjaxhpbji.biz
Source: global traffic	DNS traffic detected: DNS query: xlfhhhm.biz
Source: global traffic	DNS traffic detected: DNS query: ifsaia.biz
Source: global traffic	DNS traffic detected: DNS query: saytjshyf.biz
Source: global traffic	DNS traffic detected: DNS query: vcddkls.biz
Source: global traffic	DNS traffic detected: DNS query: fwiwk.biz
Source: global traffic	DNS traffic detected: DNS query: tbjrpv.biz
Source: global traffic	DNS traffic detected: DNS query: deoci.biz
Source: global traffic	DNS traffic detected: DNS query: gytujflc.biz
Source: global traffic	DNS traffic detected: DNS query: qaynky.biz
Source: global traffic	DNS traffic detected: DNS query: bumxkqgxu.biz
Source: global traffic	DNS traffic detected: DNS query: dwrqljrr.biz
Source: global traffic	DNS traffic detected: DNS query: nqwjmb.biz
Source: global traffic	DNS traffic detected: DNS query: ytctnunms.biz
Source: global traffic	DNS traffic detected: DNS query: myups.biz
Source: global traffic	DNS traffic detected: DNS query: oshhkdluh.biz
Source: global traffic	DNS traffic detected: DNS query: yunalwv.biz
Source: global traffic	DNS traffic detected: DNS query: jpskm.biz
Source: global traffic	DNS traffic detected: DNS query: lrxdmhrr.biz
Source: global traffic	DNS traffic detected: DNS query: wllvnzb.biz
Source: global traffic	DNS traffic detected: DNS query: gnqgo.biz
Source: global traffic	DNS traffic detected: DNS query: jhvzpcfg.biz
Source: global traffic	DNS traffic detected: DNS query: acwjcqqv.biz
Source: global traffic	DNS traffic detected: DNS query: lejtdj.biz
Source: global traffic	DNS traffic detected: DNS query: vyome.biz
Source: global traffic	DNS traffic detected: DNS query: yauexmxk.biz
Source: global traffic	DNS traffic detected: DNS query: iuzpxe.biz
Source: global traffic	DNS traffic detected: DNS query: sxmiywsfv.biz
Source: global traffic	DNS traffic detected: DNS query: vrrazpdh.biz
Source: global traffic	DNS traffic detected: DNS query: ftxlah.biz
Source: global traffic	DNS traffic detected: DNS query: typgfhb.biz
Source: global traffic	DNS traffic detected: DNS query: esuzf.biz
Source: global traffic	DNS traffic detected: DNS query: gvijgjwkh.biz
Source: global traffic	DNS traffic detected: DNS query: qpnczch.biz
Source: global traffic	DNS traffic detected: DNS query: brsua.biz
Source: global traffic	DNS traffic detected: DNS query: dlynankz.biz
Source: global traffic	DNS traffic detected: DNS query: oflybfv.biz
Source: global traffic	DNS traffic detected: DNS query: yhqqc.biz
Source: global traffic	DNS traffic detected: DNS query: mnjmhp.biz
Source: global traffic	DNS traffic detected: DNS query: opowhhece.biz
Source: global traffic	DNS traffic detected: DNS query: zjbpaao.biz
Source: global traffic	DNS traffic detected: DNS query: jdhhbs.biz
Source: global traffic	DNS traffic detected: DNS query: mgmsclkyu.biz
Source: global traffic	DNS traffic detected: DNS query: warkcdu.biz
Source: global traffic	DNS traffic detected: DNS query: gcedd.biz
Source: global traffic	DNS traffic detected: DNS query: jwkoeoqns.biz
Source: global traffic	DNS traffic detected: DNS query: xccjj.biz
Source: global traffic	DNS traffic detected: DNS query: hehckyov.biz
Source: global traffic	DNS traffic detected: DNS query: rynmcq.biz
Source: global traffic	DNS traffic detected: DNS query: uaafd.biz
Source: global traffic	DNS traffic detected: DNS query: eufxebus.biz
Source: global traffic	DNS traffic detected: DNS query: pwlqfu.biz
Source: global traffic	DNS traffic detected: DNS query: rrqafepng.biz
Source: global traffic	DNS traffic detected: DNS query: ctdtgwag.biz
Source: global traffic	DNS traffic detected: DNS query: tnevuluw.biz
Source: global traffic	DNS traffic detected: DNS query: whjovd.biz
Source: global traffic	DNS traffic detected: DNS query: gjogvvpsf.biz
Source: global traffic	DNS traffic detected: DNS query: reczwga.biz
Source: global traffic	DNS traffic detected: DNS query: bghjpy.biz
Source: global traffic	DNS traffic detected: DNS query: damcprvgv.biz
Source: global traffic	DNS traffic detected: DNS query: ocsvqjg.biz
Source: global traffic	DNS traffic detected: DNS query: ywffr.biz
Source: global traffic	DNS traffic detected: DNS query: ecxbwt.biz
Source: global traffic	DNS traffic detected: DNS query: pectx.biz
Source: global traffic	DNS traffic detected: DNS query: zyiexezl.biz
Source: global traffic	DNS traffic detected: DNS query: banwyw.biz
Source: global traffic	DNS traffic detected: DNS query: muapr.biz
Source: global traffic	DNS traffic detected: DNS query: wxgzshna.biz
Source: global traffic	DNS traffic detected: DNS query: zrlssa.biz
Source: global traffic	DNS traffic detected: DNS query: jlqltsjvh.biz
Source: global traffic	DNS traffic detected: DNS query: xyrgy.biz
Source: global traffic	DNS traffic detected: DNS query: htwqzczce.biz
Source: global traffic	DNS traffic detected: DNS query: kvbjaur.biz
Source: global traffic	DNS traffic detected: DNS query: uphca.biz
Source: global traffic	DNS traffic detected: DNS query: fjumtfnz.biz
Source: global traffic	DNS traffic detected: DNS query: hlzfuyy.biz
Source: global traffic	DNS traffic detected: DNS query: rffxu.biz
Source: global traffic	DNS traffic detected: DNS query: cikivjto.biz
Source: global traffic	DNS traffic detected: DNS query: qncdaagct.biz
Source: global traffic	DNS traffic detected: DNS query: shpwbsrw.biz
Source: global traffic	DNS traffic detected: DNS query: cjvgcl.biz
Source: global traffic	DNS traffic detected: DNS query: neazudmrq.biz
Source: global traffic	DNS traffic detected: DNS query: pgfsvwx.biz
Source: global traffic	DNS traffic detected: DNS query: aatcwo.biz
Source: global traffic	DNS traffic detected: DNS query: kcyvxytog.biz
Source: global traffic	DNS traffic detected: DNS query: nwdnxrd.biz
Source: global traffic	DNS traffic detected: DNS query: ereplfx.biz
Source: global traffic	DNS traffic detected: DNS query: ptrim.biz

Source: unknown

HTTP traffic detected: POST /ibmog HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: pywolwnvd.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 868

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.0 (Ubuntu)Date: Fri, 06 Sep 2024 11:07:23 GMTContent-Type: text/htmlContent-Length: 580Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.0 (Ubuntu)Date: Fri, 06 Sep 2024 11:07:23 GMTContent-Type: text/htmlContent-Length: 580Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.0 (Ubuntu)Date: Fri, 06 Sep 2024 11:07:33 GMTContent-Type: text/htmlContent-Length: 580Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.0 (Ubuntu)Date: Fri, 06 Sep 2024 11:07:33 GMTContent-Type: text/htmlContent-Length: 580Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.27.1Date: Fri, 06 Sep 2024 11:07:56 GMTTransfer-Encoding: chunkedConnection: keep-aliveKeep-Alive: timeout=20
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.0 (Ubuntu)Date: Fri, 06 Sep 2024 11:08:26 GMTContent-Type: text/htmlContent-Length: 580Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.0 (Ubuntu)Date: Fri, 06 Sep 2024 11:08:26 GMTContent-Type: text/htmlContent-Length: 580Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->

Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714

Source: unknown

HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.16:49714 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Installs a global keyboard hook

Source: C:\Users\user\AppData\Local\Temp\neworigin.exe

Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Local\Temp\neworigin.exe

Source: C:\Users\user\AppData\Local\Temp\neworigin.exe

Window created: window name: CLIPBRDWNDCLASS

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000010.00000002.1218270689.0000000003712000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe, type: DROPPED	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe, type: DROPPED	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe, type: DROPPED	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE

Source: C:\Windows\System32\alg.exe	File created: C:\Windows\system32\config\systemprofile\AppData\Roaming\52b8592e4ce608d8.bin
Source: C:\Windows\System32\svchost.exe	File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Process token adjusted: Load Driver

Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Process token adjusted: Security

Source: unknown

Driver loaded: C:\Windows\System32\drivers\AppVStrm.sys

Source: NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 00000010.00000002.1218270689.0000000003712000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe, type: DROPPED	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe, type: DROPPED	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe, type: DROPPED	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers

Source: NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE

Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE

Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@34/105@105/81

Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

File created: C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log

Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE

File created: C:\Users\user\AppData\Roaming\52b8592e4ce608d8.bin

Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Mutant created: NULL
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Mutant created: \Sessions\1\BaseNamedObjects\kbedaSzAAOYDRDgN
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE	Mutant created: \Sessions\1\BaseNamedObjects\Global\Multiarch.m0yv-52b8592e4ce608d8-inf
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE	Mutant created: \Sessions\1\BaseNamedObjects\Global\Multiarch.m0yv-52b8592e4ce608d8fc030088-b
Source: C:\Program Files\Microsoft Update Health Tools\uhssvc.exe	Mutant created: \BaseNamedObjects\Global\Microsoft.Windows.Remediation.TelemetryUpdateHealthTools
Source: C:\Windows\System32\alg.exe	Mutant created: \BaseNamedObjects\Global\Multiarch.m0yv-52b8592e4ce608d89ea72c54-b

Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE

File created: C:\Users\user\AppData\Local\Temp\aut72FF.tmp

Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\SysWOW64\svchost.exe

File read: C:\Users\user\Desktop\desktop.ini

Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE

Virustotal: Detection: 71%

Source: unknown	Process created: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE "C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE"
Source: unknown	Process created: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe"
Source: unknown	Process created: C:\Windows\System32\alg.exe C:\Windows\System32\alg.exe
Source: unknown	Process created: C:\Windows\System32\AppVClient.exe C:\Windows\system32\AppVClient.exe
Source: unknown	Process created: C:\Windows\System32\FXSSVC.exe C:\Windows\system32\fxssvc.exe
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE"
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE	Process created: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE "C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE"
Source: unknown	Process created: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe "C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
Source: unknown	Process created: C:\Program Files\Microsoft Update Health Tools\uhssvc.exe "C:\Program Files\Microsoft Update Health Tools\uhssvc.exe"
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE"
Source: C:\Windows\SysWOW64\svchost.exe	Process created: C:\Users\user\AppData\Local\Temp\server_BTC.exe "C:\Users\user\AppData\Local\Temp\server_BTC.exe"
Source: C:\Windows\SysWOW64\svchost.exe	Process created: C:\Users\user\AppData\Local\Temp\neworigin.exe "C:\Users\user\AppData\Local\Temp\neworigin.exe"
Source: C:\Windows\SysWOW64\svchost.exe	Process created: C:\Users\user\AppData\Local\Temp\build.exe "C:\Users\user\AppData\Local\Temp\build.exe"
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process created: C:\Windows\SysWOW64\schtasks.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process created: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe "C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe"
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp8F22.tmp.cmd""
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 6
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE"
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE	Process created: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE "C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE"
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE"
Source: C:\Windows\SysWOW64\svchost.exe	Process created: C:\Users\user\AppData\Local\Temp\server_BTC.exe "C:\Users\user\AppData\Local\Temp\server_BTC.exe"
Source: C:\Windows\SysWOW64\svchost.exe	Process created: C:\Users\user\AppData\Local\Temp\neworigin.exe "C:\Users\user\AppData\Local\Temp\neworigin.exe"
Source: C:\Windows\SysWOW64\svchost.exe	Process created: C:\Users\user\AppData\Local\Temp\build.exe "C:\Users\user\AppData\Local\Temp\build.exe"
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process created: C:\Windows\SysWOW64\schtasks.exe
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process created: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe "C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe"
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp8F22.tmp.cmd""
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding

Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE	Section loaded: wsock32.dll
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE	Section loaded: version.dll
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE	Section loaded: winmm.dll
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE	Section loaded: mpr.dll
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE	Section loaded: wininet.dll
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE	Section loaded: iphlpapi.dll
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE	Section loaded: userenv.dll
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE	Section loaded: uxtheme.dll
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE	Section loaded: winhttp.dll
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE	Section loaded: secur32.dll
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE	Section loaded: sspicli.dll
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE	Section loaded: dnsapi.dll
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE	Section loaded: ntmarta.dll
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE	Section loaded: windows.storage.dll
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE	Section loaded: wldp.dll
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE	Section loaded: scrrun.dll
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE	Section loaded: sxs.dll
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE	Section loaded: mswsock.dll
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE	Section loaded: winnsi.dll
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE	Section loaded: webio.dll
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\alg.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\alg.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\alg.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\alg.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\alg.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\alg.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\alg.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\alg.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\alg.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\alg.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\AppVClient.exe	Section loaded: appvpolicy.dll
Source: C:\Windows\System32\AppVClient.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\AppVClient.exe	Section loaded: wtsapi32.dll
Source: C:\Windows\System32\AppVClient.exe	Section loaded: netapi32.dll
Source: C:\Windows\System32\AppVClient.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\AppVClient.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\AppVClient.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\AppVClient.exe	Section loaded: samcli.dll
Source: C:\Windows\System32\AppVClient.exe	Section loaded: logoncli.dll
Source: C:\Windows\System32\AppVClient.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\AppVClient.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\AppVClient.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\AppVClient.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\AppVClient.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\AppVClient.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\AppVClient.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\AppVClient.exe	Section loaded: appmanagementconfiguration.dll
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\alg.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\alg.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\alg.exe	Section loaded: webio.dll
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: version.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: tapi32.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: credui.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: fxstiff.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: slc.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: sppc.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: fxsresm.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: ualapi.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: slc.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: sppc.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: slc.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: sppc.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: slc.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: sppc.dll
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE	Section loaded: wsock32.dll
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE	Section loaded: version.dll
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE	Section loaded: winmm.dll
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE	Section loaded: mpr.dll
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE	Section loaded: wininet.dll
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE	Section loaded: iphlpapi.dll
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE	Section loaded: userenv.dll
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE	Section loaded: uxtheme.dll
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE	Section loaded: winhttp.dll
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE	Section loaded: secur32.dll
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE	Section loaded: sspicli.dll
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE	Section loaded: dnsapi.dll
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE	Section loaded: ntmarta.dll
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE	Section loaded: windows.storage.dll
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE	Section loaded: wldp.dll
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE	Section loaded: scrrun.dll
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE	Section loaded: sxs.dll
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE	Section loaded: mswsock.dll
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE	Section loaded: winnsi.dll
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE	Section loaded: webio.dll
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE	Section loaded: ondemandconnroutehelper.dll
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Section loaded: msasn1.dll
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Section loaded: winhttp.dll
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Section loaded: mpr.dll
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Section loaded: secur32.dll
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Section loaded: sspicli.dll
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Section loaded: dnsapi.dll
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Section loaded: ntmarta.dll
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files\Microsoft Update Health Tools\uhssvc.exe	Section loaded: winhttp.dll
Source: C:\Program Files\Microsoft Update Health Tools\uhssvc.exe	Section loaded: netapi32.dll
Source: C:\Program Files\Microsoft Update Health Tools\uhssvc.exe	Section loaded: dsreg.dll
Source: C:\Program Files\Microsoft Update Health Tools\uhssvc.exe	Section loaded: msvcp110_win.dll
Source: C:\Program Files\Microsoft Update Health Tools\uhssvc.exe	Section loaded: cryptsp.dll
Source: C:\Program Files\Microsoft Update Health Tools\uhssvc.exe	Section loaded: msasn1.dll
Source: C:\Program Files\Microsoft Update Health Tools\uhssvc.exe	Section loaded: mpr.dll
Source: C:\Program Files\Microsoft Update Health Tools\uhssvc.exe	Section loaded: secur32.dll
Source: C:\Program Files\Microsoft Update Health Tools\uhssvc.exe	Section loaded: sspicli.dll
Source: C:\Program Files\Microsoft Update Health Tools\uhssvc.exe	Section loaded: dnsapi.dll
Source: C:\Program Files\Microsoft Update Health Tools\uhssvc.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files\Microsoft Update Health Tools\uhssvc.exe	Section loaded: ntmarta.dll
Source: C:\Program Files\Microsoft Update Health Tools\uhssvc.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files\Microsoft Update Health Tools\uhssvc.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: qmgr.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsperf.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: firewallapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: esent.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fwbase.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netprofm.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsigd.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: upnp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ssdpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmauto.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pcwum.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: webio.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: usermgrcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: vssapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: vsstrace.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: samcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: samlib.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: es.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: schannel.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: edputil.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: wintypes.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: appresolver.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: slc.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: sppc.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: linkinfo.dll
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: ntshrui.dll
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: cscapi.dll
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: rasman.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: vaultcli.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Section loaded: edputil.dll
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\alg.exe	Section loaded: ondemandconnroutehelper.dll

Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0D43FE01-F093-11CF-8940-00A0C9054228}\InprocServer32

Source: C:\Users\user\AppData\Local\Temp\neworigin.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Source: NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE

Static file information: File size 2777600 > 1048576

Source: NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE

Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x14de00

Source: NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source: NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE

Static PE information: section name: .reloc entropy: 7.931625250013023

Persistence and Installation Behavior

Creates files in the system32 config directory

Source: C:\Windows\System32\alg.exe

File created: C:\Windows\system32\config\systemprofile\AppData\Roaming\52b8592e4ce608d8.bin

Drops executable to a common third party application directory

Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\firefox.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\firefox.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\firefox.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\firefox.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\firefox.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\firefox.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\firefox.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\firefox.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\pingsender.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\pingsender.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\pingsender.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\pingsender.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\pingsender.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\pingsender.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\pingsender.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\pingsender.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe
Source: C:\Windows\System32\alg.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe

Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleCrashHandler.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\java-rmi.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\chrome_pwa_launcher.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Installer\chrmstp.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleCrashHandler64.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Microsoft Update Health Tools\uhssvc.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\neworigin.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Mozilla Firefox\pingsender.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Installer\setup.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\jabswitch.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe	Jump to dropped file
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE	File created: C:\Windows\System32\alg.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.132\117.0.5938.132_chrome_installer.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\7-Zip\7zFM.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Mozilla Firefox\default-browser-agent.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\7-Zip\7z.exe	Jump to dropped file
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE	File created: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	Jump to dropped file
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE	File created: C:\Windows\System32\AppVClient.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Mozilla Firefox\crashreporter.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\7-Zip\7zG.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Google\Update\Install\{3007B876-EF79-48CC-9A41-17D9D214FFC1}\GoogleUpdateSetup.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateBroker.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateComRegisterShell64.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\notification_helper.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdate.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Mozilla Firefox\private_browsing.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Mozilla Firefox\firefox.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\AutoIt3\Au3Info.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Mozilla Firefox\updater.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Google\Update\Download\{430FD4D0-B729-4F61-AA34-91526481799D}\1.3.36.372\GoogleUpdateSetup.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\7-Zip\Uninstall.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Jump to dropped file
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE	File created: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Common Files\microsoft shared\ClickToRun\officesvcmgr.exe	Jump to dropped file
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files\Mozilla Firefox\plugin-container.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe	File created: C:\Users\user\AppData\Local\Temp\build.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	File created: C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateOnDemand.exe	Jump to dropped file

Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE	File created: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	Jump to dropped file
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE	File created: C:\Windows\System32\AppVClient.exe	Jump to dropped file
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE	File created: C:\Windows\System32\alg.exe	Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe

Process created: C:\Windows\SysWOW64\schtasks.exe

Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TrojanAIbot.exe.lnk

Hooking and other Techniques for Hiding and Protection

Uses an obfuscated file name to hide its real file extension (double extension)

Source: Possible double extension: pdf.exe

Static PE information: NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE

Writes data at the end of the disk (often used by bootkits to hide malicious code)

Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE	File written: C:\Users\user\AppData\Roaming\52b8592e4ce608d8.bin offset: 0
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe offset: 0
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe offset: 162304
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe offset: 735820
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe offset: 0
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe offset: 737280
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe offset: 1285120
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe offset: 0
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe offset: 1286144
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe offset: 1289427
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe offset: 0
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe offset: 0
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe offset: 735744
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe offset: 31704
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE	File written: C:\Users\user\AppData\Local\Temp\aut72FF.tmp offset: 0
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE	File written: C:\Users\user\AppData\Local\Temp\aut72FF.tmp offset: 1290240
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE	File written: C:\Users\user\AppData\Local\Temp\Sancha offset: 0
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE	File written: C:\Users\user\AppData\Local\Temp\Sancha offset: 1310720
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe offset: 0
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE	File written: C:\Users\user\AppData\Local\Temp\Sancha offset: 1372160
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE	File written: C:\Users\user\AppData\Local\Temp\Grinnellia offset: 0
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE	File written: C:\Users\user\AppData\Local\Temp\Grinnellia offset: 196608
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE	File written: C:\Users\user\AppData\Local\Temp\Grinnellia offset: 200704
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE	File written: C:\Windows\System32\alg.exe offset: 0
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE	File written: C:\Windows\System32\alg.exe offset: 95744
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE	File written: C:\Windows\System32\alg.exe offset: 669260
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE	File written: C:\Windows\System32\alg.exe offset: 0
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE	File written: C:\Windows\System32\alg.exe offset: 672768
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE	File written: C:\Windows\System32\alg.exe offset: 1220608
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE	File written: C:\Windows\System32\alg.exe offset: 0
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE	File written: C:\Windows\System32\alg.exe offset: 1221632
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE	File written: C:\Windows\System32\alg.exe offset: 1224840
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE	File written: C:\Windows\System32\alg.exe offset: 0
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE	File written: C:\Windows\System32\alg.exe offset: 0
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE	File written: C:\Windows\System32\alg.exe offset: 669184
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE	File written: C:\Windows\System32\alg.exe offset: 53125
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE	File written: C:\Windows\System32\alg.exe offset: 0
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE	File written: C:\Windows\System32\AppVClient.exe offset: 0
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE	File written: C:\Windows\System32\AppVClient.exe offset: 767488
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE	File written: C:\Windows\System32\AppVClient.exe offset: 1341004
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE	File written: C:\Windows\System32\AppVClient.exe offset: 0
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE	File written: C:\Windows\System32\AppVClient.exe offset: 1344512
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE	File written: C:\Windows\System32\AppVClient.exe offset: 1347720
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE	File written: C:\Windows\System32\AppVClient.exe offset: 0
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE	File written: C:\Windows\System32\AppVClient.exe offset: 0
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE	File written: C:\Windows\System32\AppVClient.exe offset: 1340928
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE	File written: C:\Windows\System32\AppVClient.exe offset: 409168
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE	File written: C:\Windows\System32\AppVClient.exe offset: 0
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE	File written: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe offset: 0
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE	File written: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe offset: 94208
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE	File written: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe offset: 667724
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE	File written: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe offset: 0
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE	File written: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe offset: 671232
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE	File written: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe offset: 1219072
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE	File written: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe offset: 0
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE	File written: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe offset: 1220096
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE	File written: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe offset: 1223304
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE	File written: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe offset: 0
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE	File written: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe offset: 0
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE	File written: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe offset: 667648
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE	File written: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe offset: 50277
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE	File written: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe offset: 0
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE	File written: C:\Windows\System32\FXSSVC.exe offset: unknown

Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Temp\neworigin.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE	API/Special instruction interceptor: Address: 5463204
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE	API/Special instruction interceptor: Address: 5333204

Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Memory allocated: 1770000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Memory allocated: 30D0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Memory allocated: 50D0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Memory allocated: 2FB0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Memory allocated: 3220000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Memory allocated: 3140000 memory reserve \| memory write watch

Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Window / User API: threadDelayed 1048
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Window / User API: threadDelayed 8792

Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleCrashHandler.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\java-rmi.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Google\Chrome\Application\117.0.5938.132\chrome_pwa_launcher.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Installer\chrmstp.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleCrashHandler64.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Mozilla Firefox\pingsender.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Installer\setup.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\jabswitch.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.132\117.0.5938.132_chrome_installer.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\7-Zip\7zFM.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Mozilla Firefox\default-browser-agent.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe	Jump to dropped file
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE	Dropped PE file which has not been started: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\7-Zip\7z.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Mozilla Firefox\crashreporter.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\7-Zip\7zG.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\Install\{3007B876-EF79-48CC-9A41-17D9D214FFC1}\GoogleUpdateSetup.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateBroker.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateComRegisterShell64.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Google\Chrome\Application\117.0.5938.132\notification_helper.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdate.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Mozilla Firefox\private_browsing.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Mozilla Firefox\firefox.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Au3Info.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Mozilla Firefox\updater.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\Download\{430FD4D0-B729-4F61-AA34-91526481799D}\1.3.36.372\GoogleUpdateSetup.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\7-Zip\Uninstall.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\officesvcmgr.exe	Jump to dropped file
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files\Mozilla Firefox\plugin-container.exe	Jump to dropped file
Source: C:\Windows\System32\alg.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateOnDemand.exe	Jump to dropped file

Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE TID: 7060	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\System32\alg.exe TID: 7016	Thread sleep time: -120000s >= -30000s
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE TID: 6220	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 6672	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe TID: 6720	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7032	Thread sleep time: -16602069666338586s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7032	Thread sleep time: -200000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 1996	Thread sleep count: 1048 > 30
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7032	Thread sleep time: -99857s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7032	Thread sleep time: -99730s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7032	Thread sleep time: -99618s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 1996	Thread sleep count: 8792 > 30
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7032	Thread sleep time: -99507s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7032	Thread sleep time: -99397s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7032	Thread sleep time: -99282s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7032	Thread sleep time: -99144s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7032	Thread sleep time: -99033s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7032	Thread sleep time: -98890s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7032	Thread sleep time: -98779s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7032	Thread sleep time: -98668s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7032	Thread sleep time: -98556s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7032	Thread sleep time: -98445s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7032	Thread sleep time: -98334s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7032	Thread sleep time: -98208s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7032	Thread sleep time: -98096s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7032	Thread sleep time: -97968s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7032	Thread sleep time: -97856s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7032	Thread sleep time: -97745s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7032	Thread sleep time: -97633s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7032	Thread sleep time: -97523s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7032	Thread sleep time: -97414s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7032	Thread sleep time: -97302s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7032	Thread sleep time: -97190s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7032	Thread sleep time: -97062s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7032	Thread sleep time: -96952s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7032	Thread sleep time: -99889s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7032	Thread sleep time: -99777s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7032	Thread sleep time: -99665s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7032	Thread sleep time: -99553s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7032	Thread sleep time: -99427s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7032	Thread sleep time: -99300s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7032	Thread sleep time: -99173s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7032	Thread sleep time: -99045s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7032	Thread sleep time: -98934s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7032	Thread sleep time: -98822s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7032	Thread sleep time: -98710s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7032	Thread sleep time: -98598s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7032	Thread sleep time: -98470s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7032	Thread sleep time: -98342s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7032	Thread sleep time: -98221s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7032	Thread sleep time: -98087s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7032	Thread sleep time: -97975s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7032	Thread sleep time: -97864s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7032	Thread sleep time: -97736s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7032	Thread sleep time: -97609s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7032	Thread sleep time: -97497s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7032	Thread sleep time: -97385s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe TID: 7032	Thread sleep time: -97270s >= -30000s
Source: C:\Windows\System32\alg.exe TID: 6248	Thread sleep time: -330000s >= -30000s
Source: C:\Windows\System32\alg.exe TID: 6248	Thread sleep time: -60000s >= -30000s
Source: C:\Windows\System32\alg.exe TID: 7020	Thread sleep time: -30000s >= -30000s

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Source: C:\Users\user\AppData\Local\Temp\neworigin.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 100000
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 99857
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 99730
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 99618
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 99507
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 99397
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 99282
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 99144
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 99033
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98890
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98779
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98668
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98556
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98445
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98334
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98208
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98096
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97968
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97856
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97745
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97633
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97523
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97414
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97302
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97190
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97062
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 96952
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 99889
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 99777
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 99665
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 99553
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 99427
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 99300
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 99173
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 99045
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98934
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98822
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98710
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98598
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98470
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98342
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98221
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 98087
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97975
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97864
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97736
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97609
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97497
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97385
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Thread delayed: delay time: 97270

Source: C:\Windows\System32\alg.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\
Source: C:\Windows\System32\alg.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\UIThemes\
Source: C:\Windows\System32\alg.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\
Source: C:\Windows\System32\alg.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\
Source: C:\Windows\System32\alg.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\
Source: C:\Windows\System32\alg.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\

Source: C:\Users\user\AppData\Local\Temp\neworigin.exe

Process information queried: ProcessInformation

Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Process token adjusted: Debug

Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe

Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE

Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write

Writes to foreign memory regions

Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE

Memory written: C:\Windows\SysWOW64\svchost.exe base: 30D5008

Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE"
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE"
Source: C:\Windows\SysWOW64\svchost.exe	Process created: C:\Users\user\AppData\Local\Temp\server_BTC.exe "C:\Users\user\AppData\Local\Temp\server_BTC.exe"
Source: C:\Windows\SysWOW64\svchost.exe	Process created: C:\Users\user\AppData\Local\Temp\neworigin.exe "C:\Users\user\AppData\Local\Temp\neworigin.exe"
Source: C:\Windows\SysWOW64\svchost.exe	Process created: C:\Users\user\AppData\Local\Temp\build.exe "C:\Users\user\AppData\Local\Temp\build.exe"
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process created: C:\Windows\SysWOW64\schtasks.exe
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process created: C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe "C:\Users\user\AppData\Roaming\ACCApi\TrojanAIbot.exe"
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp8F22.tmp.cmd""

Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\alg.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\AppVClient.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\FXSSVC.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\FXSSVC.exe	Queries volume information: C:\ProgramData\Microsoft\Windows NT\MSFax\Queue\TST7919.tmp VolumeInformation
Source: C:\Windows\System32\FXSSVC.exe	Queries volume information: C:\ProgramData\Microsoft\Windows NT\MSFax\TST792A.tmp VolumeInformation
Source: C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files\Microsoft Update Health Tools\uhssvc.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\server_BTC.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\server_BTC.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\neworigin.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation

Source: C:\Users\user\AppData\Local\Temp\neworigin.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 00000010.00000002.1218270689.0000000003712000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.1208342967.0000000000D12000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\neworigin.exe, type: DROPPED
Source: Yara match	File source: 00000012.00000002.2465149374.000000000329E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.2465149374.000000000329A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.2465149374.0000000003271000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.2465149374.00000000032AF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected RedLine Stealer

Source: Yara match	File source: 00000010.00000002.1218270689.0000000003789000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000000.1209788633.0000000000E42000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\build.exe, type: DROPPED
Source: Yara match	File source: 00000013.00000002.1360287595.0000000003496000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\neworigin.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\cookies.sqlite
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\AppData\Local\Temp\neworigin.exe

File opened: C:\FTP Navigator\Ftplist.txt

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Users\user\AppData\Local\Temp\neworigin.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities

Source: Yara match	File source: 00000010.00000002.1218270689.0000000003712000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.1208342967.0000000000D12000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\neworigin.exe, type: DROPPED
Source: Yara match	File source: 00000013.00000002.1360287595.0000000003496000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.2465149374.0000000003271000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 00000010.00000002.1218270689.0000000003712000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.1208342967.0000000000D12000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\neworigin.exe, type: DROPPED
Source: Yara match	File source: 00000012.00000002.2465149374.000000000329E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.2465149374.000000000329A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.2465149374.0000000003271000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.2465149374.00000000032AF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected RedLine Stealer

Source: Yara match	File source: 00000010.00000002.1218270689.0000000003789000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000000.1209788633.0000000000E42000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\build.exe, type: DROPPED
Source: Yara match	File source: 00000013.00000002.1360287595.0000000003496000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	121 Windows Management Instrumentation	2 LSASS Driver	2 LSASS Driver	1 Disable or Modify Tools	2 OS Credential Dumping	2 File and Directory Discovery	Remote Services	2 Data from Local System	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Scheduled Task/Job	1 DLL Side-Loading	1 DLL Side-Loading	11 Obfuscated Files or Information	11 Input Capture	134 System Information Discovery	Remote Desktop Protocol	1 Email Collection	2 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 Scheduled Task/Job	211 Process Injection	1 Direct Volume Access	1 Credentials in Registry	32 Security Software Discovery	SMB/Windows Admin Shares	11 Input Capture	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	1 Registry Run Keys / Startup Folder	1 Scheduled Task/Job	1 Software Packing	NTDS	1 Process Discovery	Distributed Component Object Model	1 Clipboard Data	3 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	1 Registry Run Keys / Startup Folder	1 DLL Side-Loading	LSA Secrets	151 Virtualization/Sandbox Evasion	SSH	Keylogging	24 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	322 Masquerading	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	151 Virtualization/Sandbox Evasion	DCSync	1 System Network Configuration Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	211 Process Injection	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Source	Detection	Scanner	Label	Link
NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE	72%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	100%	Avira	W32/Infector.Gen
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	100%	Avira	W32/Infector.Gen
C:\Windows\System32\AppVClient.exe	100%	Avira	W32/Infector.Gen
C:\Windows\System32\alg.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	100%	Joe Sandbox ML
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	100%	Joe Sandbox ML
C:\Windows\System32\AppVClient.exe	100%	Joe Sandbox ML
C:\Windows\System32\alg.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\server_BTC.exe	100%	Avira	HEUR/AGEN.1311721
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	100%	Avira	W32/Infector.Gen
C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	100%	Avira	W32/Infector.Gen
C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe	100%	Avira	W32/Infector.Gen
C:\Program Files\Microsoft Update Health Tools\uhssvc.exe	100%	Avira	W32/Infector.Gen
C:\Program Files\7-Zip\7z.exe	100%	Avira	W32/Infector.Gen
C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe	100%	Avira	W32/Infector.Gen
C:\Program Files\7-Zip\7zG.exe	100%	Avira	W32/Infector.Gen
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	100%	Avira	W32/Infector.Gen
C:\Users\user\AppData\Local\Temp\neworigin.exe	100%	Avira	TR/Spy.Gen8
C:\Windows\System32\AppVClient.exe	100%	Avira	W32/Infector.Gen
C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe	100%	Avira	W32/Infector.Gen
C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe	100%	Avira	W32/Infector.Gen
C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	100%	Avira	W32/Infector.Gen
C:\Users\user\AppData\Local\Temp\build.exe	100%	Avira	TR/AD.RedLineSteal.dzdht
C:\Windows\System32\alg.exe	100%	Avira	W32/Infector.Gen
C:\Program Files\7-Zip\Uninstall.exe	100%	Avira	W32/Infector.Gen
C:\Program Files\7-Zip\7zFM.exe	100%	Avira	W32/Infector.Gen
C:\Users\user\AppData\Local\Temp\server_BTC.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	100%	Joe Sandbox ML
C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	100%	Joe Sandbox ML
C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe	100%	Joe Sandbox ML
C:\Program Files\Microsoft Update Health Tools\uhssvc.exe	100%	Joe Sandbox ML
C:\Program Files\7-Zip\7z.exe	100%	Joe Sandbox ML
C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe	100%	Joe Sandbox ML
C:\Program Files\7-Zip\7zG.exe	100%	Joe Sandbox ML
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\neworigin.exe	100%	Joe Sandbox ML
C:\Windows\System32\AppVClient.exe	100%	Joe Sandbox ML
C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe	100%	Joe Sandbox ML
C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe	100%	Joe Sandbox ML
C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\build.exe	100%	Joe Sandbox ML
C:\Windows\System32\alg.exe	100%	Joe Sandbox ML
C:\Program Files\7-Zip\Uninstall.exe	100%	Joe Sandbox ML
C:\Program Files\7-Zip\7zFM.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\build.exe	92%	ReversingLabs	Win32.Ransomware.RedLine
C:\Users\user\AppData\Local\Temp\build.exe	89%	Virustotal		Browse
C:\Users\user\AppData\Local\Temp\neworigin.exe	79%	ReversingLabs	ByteCode-MSIL.Trojan.AgentTesla
C:\Users\user\AppData\Local\Temp\neworigin.exe	64%	Virustotal		Browse
C:\Users\user\AppData\Local\Temp\server_BTC.exe	79%	ReversingLabs	ByteCode-MSIL.Infostealer.ClipBanker
C:\Users\user\AppData\Local\Temp\server_BTC.exe	73%	Virustotal		Browse
C:\Program Files (x86)\AutoIt3\Au3Check.exe	100%	Avira	W32/Infector.Gen
C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\AutoIt3\Au3Info.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	100%	Avira	W32/Infector.Gen
C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	100%	Avira	W32/Infector.Gen
C:\Program Files\7-Zip\7z.exe	100%	Avira	W32/Infector.Gen
C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe	100%	Avira	W32/Infector.Gen
C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	100%	Avira	W32/Infector.Gen
C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe	100%	Avira	W32/Infector.Gen
C:\Program Files\7-Zip\7zG.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	100%	Avira	W32/Infector.Gen
C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	100%	Avira	W32/Infector.Gen
C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe	100%	Avira	W32/Infector.Gen
C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	100%	Avira	W32/Infector.Gen
C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	100%	Avira	W32/Infector.Gen
C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe	100%	Avira	W32/Infector.Gen
C:\Program Files\7-Zip\Uninstall.exe	100%	Avira	W32/Infector.Gen
C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	100%	Avira	W32/Infector.Gen
C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	100%	Avira	W32/Infector.Gen
C:\Program Files\7-Zip\7zFM.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\AutoIt3\Au3Check.exe	100%	Joe Sandbox ML
C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\AutoIt3\Au3Info.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	100%	Joe Sandbox ML
C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	100%	Joe Sandbox ML
C:\Program Files\7-Zip\7z.exe	100%	Joe Sandbox ML
C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe	100%	Joe Sandbox ML
C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	100%	Joe Sandbox ML
C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe	100%	Joe Sandbox ML
C:\Program Files\7-Zip\7zG.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	100%	Joe Sandbox ML

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Link
pywolwnvd.biz	12%	Virustotal	Browse
npukfztj.biz	10%	Virustotal	Browse
ssbzmoy.biz	11%	Virustotal	Browse
lpuegx.biz	11%	Virustotal	Browse
api.ipify.org	0%	Virustotal	Browse
cvgrf.biz	10%	Virustotal	Browse
zlenh.biz	10%	Virustotal	Browse
s82.gocheapweb.com	1%	Virustotal	Browse
przvgke.biz	10%	Virustotal	Browse
knjghuig.biz	12%	Virustotal	Browse
anpmnmxo.biz	10%	Virustotal	Browse
uhxqin.biz	10%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label	Link
http://pywolwnvd.biz/ibmog	100%	Avira URL Cloud	malware
http://ssbzmoy.biz/gadlqtcclo	100%	Avira URL Cloud	malware
http://przvgke.biz/ocfuav	100%	Avira URL Cloud	malware
http://npukfztj.biz/avqaqcipoasdlbgl	100%	Avira URL Cloud	malware
http://cvgrf.biz/rioeg	100%	Avira URL Cloud	malware
http://knjghuig.biz/qvtcyxjgqcewj	100%	Avira URL Cloud	malware
http://ssbzmoy.biz/gadlqtcclo	16%	Virustotal		Browse
http://ssbzmoy.biz/qlyvjmdwxl	100%	Avira URL Cloud	malware
http://pywolwnvd.biz/ibmog	14%	Virustotal		Browse
http://npukfztj.biz/hshnlfiqt	100%	Avira URL Cloud	malware
http://przvgke.biz/ocfuav	10%	Virustotal		Browse
http://knjghuig.biz/qvtcyxjgqcewj	12%	Virustotal		Browse
http://cvgrf.biz/rioeg	12%	Virustotal		Browse
http://pywolwnvd.biz/dafjrbte	100%	Avira URL Cloud	malware
http://lpuegx.biz/qjnvredjkanikntw	100%	Avira URL Cloud	phishing
http://npukfztj.biz/avqaqcipoasdlbgl	14%	Virustotal		Browse
http://przvgke.biz/hea	100%	Avira URL Cloud	malware
http://lpuegx.biz/wqlih	100%	Avira URL Cloud	phishing
http://pywolwnvd.biz/dafjrbte	14%	Virustotal		Browse
http://przvgke.biz/hea	9%	Virustotal		Browse
http://npukfztj.biz/hshnlfiqt	13%	Virustotal		Browse
http://ssbzmoy.biz/qlyvjmdwxl	17%	Virustotal		Browse
http://mnjmhp.biz/mtnqoxhnqxwi	100%	Avira URL Cloud	malware
http://dlynankz.biz/oyataqebqvq	100%	Avira URL Cloud	malware
http://typgfhb.biz/rqdnnkaqeymsqe	100%	Avira URL Cloud	malware
http://vyome.biz/bpkaqfdvy	100%	Avira URL Cloud	malware
http://qaynky.biz/soubumgu	100%	Avira URL Cloud	malware
http://myups.biz/sem	0%	Avira URL Cloud	safe
http://vrrazpdh.biz/jjv	100%	Avira URL Cloud	malware
http://nqwjmb.biz/aawflokdkaaso	100%	Avira URL Cloud	malware
http://vyome.biz/bpkaqfdvy	13%	Virustotal		Browse
http://oshhkdluh.biz/b	100%	Avira URL Cloud	malware
http://qaynky.biz/soubumgu	9%	Virustotal		Browse
http://gytujflc.biz/vm	0%	Avira URL Cloud	safe
http://nqwjmb.biz/aawflokdkaaso	13%	Virustotal		Browse
http://myups.biz/sem	15%	Virustotal		Browse
http://oshhkdluh.biz/b	14%	Virustotal		Browse
http://yunalwv.biz/ieibbbqqgmrvhkh	100%	Avira URL Cloud	malware
http://vrrazpdh.biz/jjv	12%	Virustotal		Browse
http://fwiwk.biz/ful	100%	Avira URL Cloud	malware
http://gnqgo.biz/orioms	100%	Avira URL Cloud	malware
http://myups.biz/vsftv	0%	Avira URL Cloud	safe
http://gytujflc.biz/jtccktxedeenfqg	0%	Avira URL Cloud	safe
http://gytujflc.biz/vm	4%	Virustotal		Browse
http://dwrqljrr.biz/pgm	100%	Avira URL Cloud	malware
http://fwiwk.biz/ful	14%	Virustotal		Browse
http://yunalwv.biz/ieibbbqqgmrvhkh	10%	Virustotal		Browse
http://tbjrpv.biz/iou	100%	Avira URL Cloud	malware
http://ftxlah.biz/jxjcyhijmgghr	100%	Avira URL Cloud	malware
http://gytujflc.biz/jtccktxedeenfqg	10%	Virustotal		Browse
http://brsua.biz/d	100%	Avira URL Cloud	malware
http://myups.biz/vsftv	9%	Virustotal		Browse
http://gnqgo.biz/orioms	12%	Virustotal		Browse
http://ytctnunms.biz/hysug	100%	Avira URL Cloud	malware
http://dwrqljrr.biz/pgm	12%	Virustotal		Browse
http://fwiwk.biz/l	100%	Avira URL Cloud	malware
http://iuzpxe.biz/kybt	100%	Avira URL Cloud	malware
http://deoci.biz/kyvgodg	100%	Avira URL Cloud	malware
http://tbjrpv.biz/iou	11%	Virustotal		Browse
http://brsua.biz/d	11%	Virustotal		Browse
http://jpskm.biz/gjwgeffxixqbuh	100%	Avira URL Cloud	malware
http://yauexmxk.biz/afqnwtrkmt	100%	Avira URL Cloud	malware
http://jhvzpcfg.biz/dx	100%	Avira URL Cloud	malware
http://xlfhhhm.biz/hdnypmld	100%	Avira URL Cloud	malware
http://fwiwk.biz/l	14%	Virustotal		Browse
http://vcddkls.biz/iac	100%	Avira URL Cloud	malware
http://ifsaia.biz/cygphrvvuwwhpqjy	100%	Avira URL Cloud	malware
http://yauexmxk.biz/afqnwtrkmt	14%	Virustotal		Browse
http://qpnczch.biz/rlifsams	100%	Avira URL Cloud	malware
http://jhvzpcfg.biz/dx	9%	Virustotal		Browse
http://wllvnzb.biz/xurinfdw	100%	Avira URL Cloud	malware
http://acwjcqqv.biz/sucofgimje	100%	Avira URL Cloud	malware
http://gvijgjwkh.biz/lqycgpuam	100%	Avira URL Cloud	malware
http://oflybfv.biz/umdr	100%	Avira URL Cloud	malware
http://saytjshyf.biz/pjojuiupwn	100%	Avira URL Cloud	malware
http://esuzf.biz/adwycgrxdylfxl	100%	Avira URL Cloud	malware
http://qpnczch.biz/rlifsams	14%	Virustotal		Browse
http://gvijgjwkh.biz/lqycgpuam	13%	Virustotal		Browse
http://esuzf.biz/adwycgrxdylfxl	11%	Virustotal		Browse
http://yhqqc.biz/uilsnghvu	100%	Avira URL Cloud	malware
http://acwjcqqv.biz/sucofgimje	13%	Virustotal		Browse
http://ifsaia.biz/cygphrvvuwwhpqjy	11%	Virustotal		Browse
http://bumxkqgxu.biz/e	100%	Avira URL Cloud	malware
http://sxmiywsfv.biz/vahgcdxtf	100%	Avira URL Cloud	malware
http://vjaxhpbji.biz/kwejxnusmbg	0%	Avira URL Cloud	safe
http://vcddkls.biz/iac	9%	Virustotal		Browse
http://lrxdmhrr.biz/yccyodm	100%	Avira URL Cloud	malware
http://yunalwv.biz/gx	100%	Avira URL Cloud	malware
http://vjaxhpbji.biz/lsedv	0%	Avira URL Cloud	safe
http://saytjshyf.biz/pjojuiupwn	12%	Virustotal		Browse
http://bumxkqgxu.biz/e	0%	Virustotal		Browse
http://sxmiywsfv.biz/vahgcdxtf	13%	Virustotal		Browse
http://lrxdmhrr.biz/yccyodm	15%	Virustotal		Browse
http://yunalwv.biz/gx	13%	Virustotal		Browse
http://pwlqfu.biz/wfktgrobq	100%	Avira URL Cloud	malware
http://qncdaagct.biz/bsjqpgxufr	0%	Avira URL Cloud	safe
http://zrlssa.biz/jmsidvkpax	100%	Avira URL Cloud	malware
http://ecxbwt.biz/mbcjcfmxxflkpmuo	100%	Avira URL Cloud	malware
http://cikivjto.biz/fnji	100%	Avira URL Cloud	malware
http://htwqzczce.biz/u	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
uaafd.biz	3.254.94.185	true	false		unknown
vjaxhpbji.biz	82.112.184.197	true	false		unknown
pywolwnvd.biz	54.244.188.177	true	true	12%, Virustotal, Browse	unknown
s82.gocheapweb.com	51.195.88.199	true	false	1%, Virustotal, Browse	unknown
ytctnunms.biz	3.94.10.34	true	false		unknown
qncdaagct.biz	47.129.31.212	true	false		unknown
lrxdmhrr.biz	54.244.188.177	true	false		unknown
vrrazpdh.biz	34.211.97.45	true	false		unknown
ctdtgwag.biz	3.94.10.34	true	false		unknown
cikivjto.biz	44.213.104.86	true	false		unknown
tbjrpv.biz	34.246.200.160	true	false		unknown
kcyvxytog.biz	18.208.156.248	true	false		unknown
hehckyov.biz	44.221.84.105	true	false		unknown
xlfhhhm.biz	47.129.31.212	true	false		unknown
warkcdu.biz	18.141.10.107	true	false		unknown
ereplfx.biz	44.213.104.86	true	false		unknown
npukfztj.biz	44.221.84.105	true	true	10%, Virustotal, Browse	unknown
sxmiywsfv.biz	13.251.16.150	true	false		unknown
pgfsvwx.biz	18.208.156.248	true	false		unknown
przvgke.biz	172.234.222.143	true	true	10%, Virustotal, Browse	unknown
dwrqljrr.biz	54.244.188.177	true	false		unknown
ocsvqjg.biz	3.254.94.185	true	false		unknown
ecxbwt.biz	54.244.188.177	true	false		unknown
gytujflc.biz	208.100.26.245	true	false		unknown
bghjpy.biz	34.211.97.45	true	false		unknown
damcprvgv.biz	18.208.156.248	true	false		unknown
gvijgjwkh.biz	3.94.10.34	true	false		unknown
gnqgo.biz	18.208.156.248	true	false		unknown
deoci.biz	18.208.156.248	true	false		unknown
nwdnxrd.biz	54.244.188.177	true	false		unknown
iuzpxe.biz	13.251.16.150	true	false		unknown
nqwjmb.biz	35.164.78.200	true	false		unknown
wllvnzb.biz	18.141.10.107	true	false		unknown
kvbjaur.biz	54.244.188.177	true	false		unknown
cvgrf.biz	54.244.188.177	true	true	10%, Virustotal, Browse	unknown
lpuegx.biz	82.112.184.197	true	true	11%, Virustotal, Browse	unknown
bumxkqgxu.biz	44.221.84.105	true	false		unknown
yhqqc.biz	34.211.97.45	true	false		unknown
api.ipify.org	104.26.13.205	true	false	0%, Virustotal, Browse	unknown
vcddkls.biz	18.141.10.107	true	false		unknown
vyome.biz	44.213.104.86	true	false		unknown
dlynankz.biz	85.214.228.140	true	false		unknown
gcedd.biz	13.251.16.150	true	false		unknown
reczwga.biz	44.221.84.105	true	false		unknown
xccjj.biz	44.213.104.86	true	false		unknown
wxgzshna.biz	72.52.178.23	true	false		unknown
oshhkdluh.biz	54.244.188.177	true	false		unknown
opowhhece.biz	18.208.156.248	true	false		unknown
pectx.biz	44.213.104.86	true	false		unknown
jwkoeoqns.biz	18.208.156.248	true	false		unknown
jpskm.biz	34.211.97.45	true	false		unknown
ftxlah.biz	47.129.31.212	true	false		unknown
cjvgcl.biz	18.208.156.248	true	false		unknown
ifsaia.biz	13.251.16.150	true	false		unknown
rynmcq.biz	54.244.188.177	true	false		unknown
fjumtfnz.biz	34.211.97.45	true	false		unknown
oflybfv.biz	47.129.31.212	true	false		unknown
jhvzpcfg.biz	44.221.84.105	true	false		unknown
ywffr.biz	54.244.188.177	true	false		unknown
tnevuluw.biz	35.164.78.200	true	false		unknown
znwbniskf.biz	47.129.31.212	true	false		unknown
saytjshyf.biz	44.221.84.105	true	false		unknown
neazudmrq.biz	44.221.84.105	true	false		unknown
fwiwk.biz	172.234.222.138	true	false		unknown
rrqafepng.biz	47.129.31.212	true	false		unknown
typgfhb.biz	13.251.16.150	true	false		unknown
aatcwo.biz	47.129.31.212	true	false		unknown
esuzf.biz	34.211.97.45	true	false		unknown
eufxebus.biz	18.141.10.107	true	false		unknown
whjovd.biz	18.141.10.107	true	false		unknown
uphca.biz	44.221.84.105	true	false		unknown
htwqzczce.biz	172.234.222.143	true	false		unknown
xyrgy.biz	18.208.156.248	true	false		unknown
banwyw.biz	44.221.84.105	true	false		unknown
myups.biz	165.160.13.20	true	false		unknown
pwlqfu.biz	34.246.200.160	true	false		unknown
zyiexezl.biz	18.208.156.248	true	false		unknown
shpwbsrw.biz	13.251.16.150	true	false		unknown
yauexmxk.biz	18.208.156.248	true	false		unknown
hlzfuyy.biz	34.211.97.45	true	false		unknown
ssbzmoy.biz	18.141.10.107	true	true	11%, Virustotal, Browse	unknown
knjghuig.biz	18.141.10.107	true	true	12%, Virustotal, Browse	unknown
yunalwv.biz	208.100.26.245	true	false		unknown
brsua.biz	3.254.94.185	true	false		unknown
rffxu.biz	34.246.200.160	true	false		unknown
jlqltsjvh.biz	18.141.10.107	true	false		unknown
mgmsclkyu.biz	34.246.200.160	true	false		unknown
gjogvvpsf.biz	208.100.26.245	true	false		unknown
qaynky.biz	13.251.16.150	true	false		unknown
ptrim.biz	18.141.10.107	true	false		unknown
qpnczch.biz	44.213.104.86	true	false		unknown
mnjmhp.biz	47.129.31.212	true	false		unknown
acwjcqqv.biz	18.141.10.107	true	false		unknown
jdhhbs.biz	13.251.16.150	true	false		unknown
zrlssa.biz	44.221.84.105	true	false		unknown
uhxqin.biz	unknown	unknown	true	10%, Virustotal, Browse	unknown
anpmnmxo.biz	unknown	unknown	true	10%, Virustotal, Browse	unknown
zjbpaao.biz	unknown	unknown	true		unknown
zlenh.biz	unknown	unknown	true	10%, Virustotal, Browse	unknown
muapr.biz	unknown	unknown	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://dlynankz.biz/oyataqebqvq	true	Avira URL Cloud: malware	unknown
http://qaynky.biz/soubumgu	true	9%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://qncdaagct.biz/bsjqpgxufr	false	Avira URL Cloud: safe	unknown
http://mnjmhp.biz/mtnqoxhnqxwi	true	Avira URL Cloud: malware	unknown
http://pwlqfu.biz/wfktgrobq	true	Avira URL Cloud: malware	unknown
http://typgfhb.biz/rqdnnkaqeymsqe	true	Avira URL Cloud: malware	unknown
http://ecxbwt.biz/mbcjcfmxxflkpmuo	true	Avira URL Cloud: malware	unknown
http://zrlssa.biz/jmsidvkpax	true	Avira URL Cloud: malware	unknown
http://cikivjto.biz/fnji	true	Avira URL Cloud: malware	unknown
http://htwqzczce.biz/u	true	13%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://gytujflc.biz/vm	false	4%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://fwiwk.biz/ful	true	14%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://gnqgo.biz/orioms	true	12%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://pectx.biz/vdswmyn	true	7%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://gcedd.biz/mtvhnvlftyscrey	true	Avira URL Cloud: phishing	unknown
http://jlqltsjvh.biz/umjblkbuugg	true	Avira URL Cloud: malware	unknown
http://gytujflc.biz/jtccktxedeenfqg	true	10%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://tbjrpv.biz/iou	true	11%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://ftxlah.biz/jxjcyhijmgghr	true	Avira URL Cloud: malware	unknown
http://rynmcq.biz/lrpwhcqxkh	true	Avira URL Cloud: malware	unknown
http://brsua.biz/d	true	11%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://warkcdu.biz/qgyptpaacdeujk	true	Avira URL Cloud: malware	unknown
http://xyrgy.biz/huutba	true	Avira URL Cloud: malware	unknown
http://cvgrf.biz/rioeg	true	12%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://npukfztj.biz/hshnlfiqt	true	13%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://yauexmxk.biz/afqnwtrkmt	true	14%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://jdhhbs.biz/bduojpmqwclgr	true	Avira URL Cloud: malware	unknown
http://jhvzpcfg.biz/dx	true	9%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://aatcwo.biz/pcsirhcwmnroqpc	false	Avira URL Cloud: safe	unknown
http://pywolwnvd.biz/dafjrbte	true	14%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://ecxbwt.biz/ocoeycxqebnmcofx	true	Avira URL Cloud: malware	unknown
http://jwkoeoqns.biz/saunpuqsumkr	true	Avira URL Cloud: malware	unknown
http://knjghuig.biz/qvtcyxjgqcewj	true	12%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://ifsaia.biz/cygphrvvuwwhpqjy	true	11%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://ywffr.biz/nkpyoqcnfxfvdsvg	true	Avira URL Cloud: malware	unknown
http://przvgke.biz/ocfuav	true	10%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://qpnczch.biz/rlifsams	true	14%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://reczwga.biz/w	true	Avira URL Cloud: malware	unknown
http://fjumtfnz.biz/rvqem	true	Avira URL Cloud: malware	unknown
http://oflybfv.biz/umdr	true	Avira URL Cloud: malware	unknown
http://shpwbsrw.biz/lrnrnpb	false	Avira URL Cloud: safe	unknown
http://ctdtgwag.biz/qmsckions	true	Avira URL Cloud: malware	unknown
http://npukfztj.biz/avqaqcipoasdlbgl	true	14%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://tnevuluw.biz/jpral	true	Avira URL Cloud: malware	unknown
http://ocsvqjg.biz/cceha	true	Avira URL Cloud: malware	unknown
http://eufxebus.biz/li	true	Avira URL Cloud: malware	unknown
http://sxmiywsfv.biz/vahgcdxtf	true	13%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://vjaxhpbji.biz/kwejxnusmbg	false	Avira URL Cloud: safe	unknown
http://vjaxhpbji.biz/lsedv	false	Avira URL Cloud: safe	unknown
http://vyome.biz/bpkaqfdvy	true	13%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://ptrim.biz/imppcncbrvlqyyq	false	Avira URL Cloud: safe	unknown
http://rffxu.biz/ociacchi	true	Avira URL Cloud: malware	unknown
http://myups.biz/sem	true	15%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://vrrazpdh.biz/jjv	true	12%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://nqwjmb.biz/aawflokdkaaso	true	13%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://opowhhece.biz/ksosgyughs	true	Avira URL Cloud: malware	unknown
http://wxgzshna.biz/qjjv	true	Avira URL Cloud: phishing	unknown
http://oshhkdluh.biz/b	true	14%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://pgfsvwx.biz/suw	false	Avira URL Cloud: safe	unknown
http://kvbjaur.biz/w	true	Avira URL Cloud: malware	unknown
http://yunalwv.biz/ieibbbqqgmrvhkh	true	10%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://uaafd.biz/cdficgkndhspr	true	Avira URL Cloud: malware	unknown
http://damcprvgv.biz/ckgw	true	Avira URL Cloud: malware	unknown
http://myups.biz/vsftv	true	9%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://kcyvxytog.biz/qakf	false	Avira URL Cloud: safe	unknown
http://rffxu.biz/nifaqe	true	Avira URL Cloud: malware	unknown
http://dwrqljrr.biz/pgm	true	12%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://przvgke.biz/hea	true	9%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://mgmsclkyu.biz/b	true	Avira URL Cloud: malware	unknown
http://whjovd.biz/vu	true	Avira URL Cloud: malware	unknown
http://ytctnunms.biz/hysug	true	Avira URL Cloud: malware	unknown
http://fwiwk.biz/l	true	14%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://bghjpy.biz/tqtlouxtvhvc	true	Avira URL Cloud: malware	unknown
http://iuzpxe.biz/kybt	true	Avira URL Cloud: malware	unknown
http://shpwbsrw.biz/kuxiqsojkmip	false	Avira URL Cloud: safe	unknown
http://wxgzshna.biz/tp	true	Avira URL Cloud: phishing	unknown
http://lpuegx.biz/qjnvredjkanikntw	true	Avira URL Cloud: phishing	unknown
http://deoci.biz/kyvgodg	true	Avira URL Cloud: malware	unknown
http://jpskm.biz/gjwgeffxixqbuh	true	Avira URL Cloud: malware	unknown
http://ssbzmoy.biz/gadlqtcclo	true	16%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://banwyw.biz/cfhujvjhaho	true	Avira URL Cloud: malware	unknown
http://gjogvvpsf.biz/eyi	true	Avira URL Cloud: malware	unknown
http://ereplfx.biz/pjgdeytc	false	Avira URL Cloud: safe	unknown
http://rrqafepng.biz/chtmfsmomhgtgs	true	Avira URL Cloud: malware	unknown
http://xlfhhhm.biz/hdnypmld	true	Avira URL Cloud: malware	unknown
http://vcddkls.biz/iac	true	9%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://nwdnxrd.biz/gtcuyk	false	Avira URL Cloud: safe	unknown
http://htwqzczce.biz/njmokryu	true	Avira URL Cloud: malware	unknown
http://neazudmrq.biz/llhapbqwborcds	false	Avira URL Cloud: safe	unknown
http://wllvnzb.biz/xurinfdw	true	Avira URL Cloud: malware	unknown
http://acwjcqqv.biz/sucofgimje	true	13%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://gvijgjwkh.biz/lqycgpuam	true	13%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://ssbzmoy.biz/qlyvjmdwxl	true	17%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://hlzfuyy.biz/rngnlo	true	Avira URL Cloud: malware	unknown
http://saytjshyf.biz/pjojuiupwn	true	12%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://esuzf.biz/adwycgrxdylfxl	true	11%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://yhqqc.biz/uilsnghvu	true	Avira URL Cloud: malware	unknown
http://uphca.biz/ucx	true	Avira URL Cloud: malware	unknown
http://pywolwnvd.biz/ibmog	true	14%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://bumxkqgxu.biz/e	true	0%, Virustotal, Browse Avira URL Cloud: malware	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
3.254.94.185	uaafd.biz	United States	16509	AMAZON-02US	false
3.94.10.34	ytctnunms.biz	United States	14618	AMAZON-AESUS	false
34.246.200.160	tbjrpv.biz	United States	16509	AMAZON-02US	false
172.234.222.143	przvgke.biz	United States	20940	AKAMAI-ASN1EU	true
18.208.156.248	kcyvxytog.biz	United States	14618	AMAZON-AESUS	false
34.211.97.45	vrrazpdh.biz	United States	16509	AMAZON-02US	false
208.100.26.245	gytujflc.biz	United States	32748	STEADFASTUS	false
35.164.78.200	nqwjmb.biz	United States	16509	AMAZON-02US	false
172.234.222.138	fwiwk.biz	United States	20940	AKAMAI-ASN1EU	false
165.160.13.20	myups.biz	United States	19574	CSCUS	false
51.195.88.199	s82.gocheapweb.com	France	16276	OVHFR	false
212.162.149.53	unknown	Netherlands	64236	UNREAL-SERVERSUS	false
44.213.104.86	cikivjto.biz	United States	14618	AMAZON-AESUS	false
72.52.178.23	wxgzshna.biz	United States	32244	LIQUIDWEBUS	false
44.221.84.105	hehckyov.biz	United States	14618	AMAZON-AESUS	true
85.214.228.140	dlynankz.biz	Germany	6724	STRATOSTRATOAGDE	false
54.244.188.177	pywolwnvd.biz	United States	16509	AMAZON-02US	true
13.251.16.150	sxmiywsfv.biz	United States	16509	AMAZON-02US	false
47.129.31.212	qncdaagct.biz	Canada	34533	ESAMARA-ASRU	false
184.28.90.27	unknown	United States	16625	AKAMAI-ASUS	false
104.26.13.205	api.ipify.org	United States	13335	CLOUDFLARENETUS	false
82.112.184.197	vjaxhpbji.biz	Russian Federation	43267	FIRST_LINE-SP_FOR_B2B_CUSTOMERSUPSTREAMSRU	true
18.141.10.107	warkcdu.biz	United States	16509	AMAZON-02US	true

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1505544
Start date and time:	2024-09-06 13:06:20 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsinteractivecookbook.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	34
Number of new started drivers analysed:	3
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	EGA enabled
Analysis Mode:	stream
Analysis stop reason:	Timeout
Sample name:	NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@34/105@105/81
Cookbook Comments:	Found application associated with file extension: .EXE

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, DiagnosticsHub.StandardCollector.Service.exe
Excluded IPs from analysis (whitelisted): 184.28.90.27, 20.12.23.50, 20.166.126.56
Excluded domains from analysis (whitelisted): fe3.delivery.mp.microsoft.com, fs.microsoft.com, slscr.update.microsoft.com, e16604.g.akamaiedge.net, glb.cws.prod.dcat.dsp.trafficmanager.net, sls.update.microsoft.com, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, glb.sls.prod.dcat.dsp.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Timeout during stream target processing, analysis might miss dynamic analysis data
VT rate limit hit for: http://banwyw.biz/cfhujvjhaho
VT rate limit hit for: http://bghjpy.biz/tqtlouxtvhvc
VT rate limit hit for: http://ctdtgwag.biz/qmsckions
VT rate limit hit for: http://damcprvgv.biz/ckgw
VT rate limit hit for: http://ereplfx.biz/pjgdeytc
VT rate limit hit for: http://eufxebus.biz/li
VT rate limit hit for: http://fjumtfnz.biz/rvqem
VT rate limit hit for: http://gjogvvpsf.biz/eyi
VT rate limit hit for: http://hlzfuyy.biz/rngnlo
VT rate limit hit for: http://htwqzczce.biz/njmokryu
VT rate limit hit for: http://jwkoeoqns.biz/saunpuqsumkr
VT rate limit hit for: http://kcyvxytog.biz/qakf
VT rate limit hit for: http://kvbjaur.biz/w
VT rate limit hit for: http://mgmsclkyu.biz/b
VT rate limit hit for: http://neazudmrq.biz/llhapbqwborcds
VT rate limit hit for: http://nwdnxrd.biz/gtcuyk
VT rate limit hit for: http://ocsvqjg.biz/cceha
VT rate limit hit for: http://opowhhece.biz/ksosgyughs
VT rate limit hit for: http://pgfsvwx.biz/suw
VT rate limit hit for: http://ptrim.biz/imppcncbrvlqyyq
VT rate limit hit for: http://reczwga.biz/w
VT rate limit hit for: http://rffxu.biz/nifaqe
VT rate limit hit for: http://rffxu.biz/ociacchi
VT rate limit hit for: http://rrqafepng.biz/chtmfsmomhgtgs
VT rate limit hit for: http://shpwbsrw.biz/kuxiqsojkmip
VT rate limit hit for: http://shpwbsrw.biz/lrnrnpb
VT rate limit hit for: http://tnevuluw.biz/jpral
VT rate limit hit for: http://uaafd.biz/cdficgkndhspr
VT rate limit hit for: http://uphca.biz/ucx
VT rate limit hit for: http://whjovd.biz/vu
VT rate limit hit for: http://wxgzshna.biz/qjjv
VT rate limit hit for: http://wxgzshna.biz/tp

Process:	C:\Windows\System32\alg.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1353216
Entropy (8bit):	5.324382851368789
Encrypted:	false
SSDEEP:
MD5:	22CE9B66C9F60A1D8A4C9E6D9842D2C1
SHA1:	4D771DD5AB658F58EC2B04BC7084908552B6D25F
SHA-256:	DF2A088F06C72E14F3BF1A565B16155994A0D73F0A71B9CEC97FAD2003512D53
SHA-512:	1D32439E5412B5A164FD1B9B224DC65E7BC3C915199097396D6DF83B52E805B2C5C334F66AD9ACA991F631989FFE25006B8BB62F30783D7257678B52CD00C506
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........S.~.2.-.2.-.2.-n.G-.2.-n.E-J2.-n.D-.2.-.Z.,.2.-.Z.,.2.-.Z.,.2.-.J%-.2.-.2.-.2.-.[.,.2.-.[I-.2.-.2!-.2.-.[.,.2.-Rich.2.-........................PE..L...g.(c.....................6......&........0....@...........................!.............................................,b..<....p...............................L..8............................L..@............0..,............................text............................... ..`.rdata...8...0...:..."..............@..@.data........p.......\..............@....rsrc....P...p...@...f..............@...................................................................................................................................................................................................................................................................................................................................

Process:	C:\Users\user\Desktop\NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1290240
Entropy (8bit):	5.277757708868598
Encrypted:	false
SSDEEP:
MD5:	F39506F272DA6B0BC387C7CBAD280886
SHA1:	496311167676DB9ED5537C64DE9A743FE9DAB995
SHA-256:	E1756A7ADE2E847E8C608B2106FAD20D15FF61DC6795057087C104262385058C
SHA-512:	4CFF0EB971D807BA1C78950EA4053C0AF53D52D01FEA06D25CC18C9EC7C6591DFA3052AF195AC01A4A45F37C02A81966252BEB248D7DC8A6E07C6B97FF22B425
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........]...3...3...3...0...3...6.h.3.,.7...3.,.0...3.,.6...3...7...3...2...3...2.G.3.e.:...3.e....3.....3.e.1...3.Rich..3.................PE..L...}..d..........................................@..................................}......................................`D......................................@...p...........................p...@....................B.......................text.............................. ..`.rdata..t...........................@..@.data........`.......@..............@....didat..4............N..............@....rsrc................P..............@..@.reloc...`.......P...`..............@...........................................................................................................................................................................................................................................................

Process:	C:\Windows\System32\svchost.exe
File Type:	Extensible storage engine DataBase, version 0x620, checksum 0x8f22e63e, page size 16384, DirtyShutdown, Windows version 10.0
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	0.7864561892938451
Encrypted:	false
SSDEEP:
MD5:	9D44B163ED4F5C413EBB8F09E3564125
SHA1:	FB59254E27289394FA52EE1CC877D40D2A73D1DD
SHA-256:	08CB9680066F24BA4891FF915797617C94CDACF8B7B84A093E2DEA3652D914DD
SHA-512:	402B1443D9EE366563CD27668E0B061CB031A0220FE5FA6465A6074F43A7A44036283A9594B35B68A08E888266D17F42E475F7890994B6C65FCDACA0ECC0B0CC
Malicious:	false
Reputation:	unknown
Preview:	.".>... ...............X\...;...{......................0.z...... ...{..6....\|..h.\|.........................D./..;...{..........................................................................................................eJ......n....@...................................................................................................... ............{...............................................................................................................................................................................................2...{...................................bRC6....\|.?..................\6....\|...........................#......h.\|.....................................................................................................................................................................................................................................................................................................................................................

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	22344
Entropy (8bit):	5.612866229252118
Encrypted:	false
SSDEEP:
MD5:	01F19303AF561683B0725CB7348993A8
SHA1:	4698681A300CD7E5275ED51B65CFA1BA2E6E44CE
SHA-256:	1913F414D6C0DC1D59125CB9AD3219F258351490E4C6323398539C63439266E6
SHA-512:	204A68CA785EFCA4F0A3EDF080B3BF70B91FE84699654C4D82B7E7A0DB3241E1D5A3DDCD35B5FA1AF972A9BBD717E8763D80FB4F41A058D0D22B16F5CEE27F3F
Malicious:	false
Reputation:	unknown
Preview:	@...e...............................(................@..........H...............o..b~.D.poM...9..... .Microsoft.PowerShell.ConsoleHostD...............4..7..D.#V.............System.Management.Automation4...............<."..Ke@...j..........System.Core.0.................Vn.F..kLsw..........System..4.................%...K... ...........System.Xml..L.................gQ?O.....x5.\|.....#.Microsoft.Management.Infrastructure.<...............i..VdqF...\|...........System.Configuration8..................1...L..U;V.<}........System.Numerics.@................z.U..G...5.f.1........System.DirectoryServices<................t.,.lG....M...........System.Management...4..................~..2K..}...0".......System.Data.H................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Commands.Utility...D....................+.H..!...e........System.Configuration.Ins

Process:	C:\Windows\SysWOW64\svchost.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	307712
Entropy (8bit):	5.081289674980977
Encrypted:	false
SSDEEP:
MD5:	3B6501FEEF6196F24163313A9F27DBFD
SHA1:	20D60478D3C161C3CACB870AAC06BE1B43719228
SHA-256:	0576191C50A1B6AFBCAA5CB0512DF5B6A8B9BEF9739E5308F8E2E965BF9B0FC5
SHA-512:	338E2C450A0B1C5DFEA3CD3662051CE231A53388BC2A6097347F14D3A59257CE3734D934DB1992676882B5F4F6A102C7E15B142434575B8970658B4833D23676
Malicious:	true
Yara Hits:	Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: C:\Users\user\AppData\Local\Temp\build.exe, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: C:\Users\user\AppData\Local\Temp\build.exe, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: C:\Users\user\AppData\Local\Temp\build.exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 92% Antivirus: Virustotal, Detection: 89%, Browse
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....H(...............0.................. ... ....@.. ....................... ............@.................................<...O.... ............................................................................... ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc..............................@..B................p.......H....... ...............(w..............................................a.u.t.o.f.i.l.l.5.t.Y.W.R.q.a.W.V.o.a.m.h.h.a.m.J.8.W.W.9.y.b.2.l.X.Y.W.x.s.Z.X.Q.K.a.W.J.u.Z.W.p.k.Z.m.p.t.b.W.t.w.Y.2.5.s.c.G.V.i.a.2.x.t.b.m.t.v.Z.W.9.p.a.G.9.m.Z.W.N.8.V.H.J.v.b.m.x.p.b.m.s.K.a.m.J.k.Y.W.9.j.b.m.V.p.a.W.l.u.b.W.p.i.a.m.x.n.Y.W.x.o.Y.2.V.s.Z.2.J.l.a.m.1.u.a.W.R.8.T.m.l.m.d.H.l.X.Y.W.x.s.Z.X.Q.K.b.m.t.i.a.W.h.m.Y.m.V.v.Z.2.F.l.Y.W.9.l.a.G.x.l.Z.m.5.r.b.2.R.i.Z.W.Z.n.c.G.d.r.b.m.5.8.T.W.

Process:	C:\Windows\SysWOW64\timeout.exe
File Type:	ASCII text, with CRLF line terminators, with overstriking
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.524640141725149
Encrypted:	false
SSDEEP:
MD5:	04A92849F3C0EE6AC36734C600767EFA
SHA1:	C77B1FF27BC49AB80202109B35C38EE3548429BD
SHA-256:	28B3755A05430A287E4DAFA9F8D8EF27F1EDA4C65E971E42A7CA5E5D4FAE5023
SHA-512:	6D67DF8175522BF45E7375932754B1CA3234292D7B1B957D1F68E4FABE6E7DA0FC52C6D22CF1390895300BA7F14E645FCDBF9DCD14375D8D43A3646C0E338704
Malicious:	false
Reputation:	unknown
Preview:	..Waiting for 6 seconds, press a key to continue ....5.4.3.2.1.0..

Entrypoint:	0x42800a
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x66D8F688 [Thu Sep 5 00:08:40 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	afcdf79be1557326c854b6e20cb900a7

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xbc0cc	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc8000	0x14dda8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x92bc0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xa4b50	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8f000	0x884	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x8dfdd	0x8e000	8edc515c0ce26ff609bc5cbdf816dcec	False	0.5735602580325704	data	6.675266096479632	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8f000	0x2fd8e	0x2fe00	748cf1ab2605ce1fd72d53d912abb68f	False	0.32828818537859006	data	5.763244005758284	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xbf000	0x8f74	0x5200	aae9601d920f07080bdfadf43dfeff12	False	0.1017530487804878	data	1.1963819235530628	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xc8000	0x14dda8	0x14de00	50dc8422535ff2bfc5744a42ef799d6c	False	0.9806552145731936	data	7.9862922974913655	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x216000	0x96000	0x95000	10feb6d5b0ee9e2f1d62063ec702051a	False	0.9757186582424496	data	7.931625250013023	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xc85a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xc86d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xc87f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xc8920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xc8c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xc8d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xc9bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xca480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xca9e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xccf90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xce038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xce4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xce4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xcea84	0x68a	data	English	Great Britain	0.2747909199522103
RT_STRING	0xcf110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xcf5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xcfb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xd01f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xd0660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xd07b8	0x145070	data			1.0003108978271484
RT_GROUP_ICON	0x215828	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0x2158a0	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0x2158b4	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0x2158c8	0x14	data	English	Great Britain	1.25
RT_VERSION	0x2158dc	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0x2159b8	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

DLL	Import
WSOCK32.dll	WSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
VERSION.dll	GetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
WININET.dll	InternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
USERENV.dll	DestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
USER32.dll	AdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
GDI32.dll	StrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
COMDLG32.dll	GetOpenFileNameW, GetSaveFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
SHELL32.dll	DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
OLEAUT32.dll	LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify or add LSASS drivers to obtain persistence on compromised systems. The Windows security subsystem is a set of components that manage and enforce the security policy for a computer or domain. The Local Security Authority (LSA) is the main component responsible for local security policy and user authentication. The LSA includes multiple dynamic link libraries (DLLs) associated with various other security functions, all of which run in the context of the LSA Subsystem Service (LSASS) lsass.exe process.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Driver: Driver Load, File: File Creation, File: File Modification, Module: Module Load
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly access a volume to bypass file access controls and file system monitoring. Windows allows programs to have direct access to logical volumes. Programs with direct access may read and write files directly from the drive by analyzing file system data structures. This technique may bypass Windows file access controls as well as file system monitoring tools.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Drive: Drive Access, File: File Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Yara Signatures

Dropped Files

Memory Dumps

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Created / dropped Files

C:\Program Files (x86)\AutoIt3\Au3Check.exe

C:\Program Files (x86)\AutoIt3\Au3Info.exe

C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe

C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe

C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe

C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe

C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe

C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe

C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe

C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe

C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe

C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe

C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe

C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe

C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe

C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe

C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleCrashHandler.exe

C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleCrashHandler64.exe

C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdate.exe

C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateBroker.exe

C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateComRegisterShell64.exe

C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe

C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateOnDemand.exe

C:\Program Files (x86)\Google\Update\Download\{430FD4D0-B729-4F61-AA34-91526481799D}\1.3.36.372\GoogleUpdateSetup.exe

Windows Analysis Report
NEOM_SUPPLIER_EOI&QUESTIONNAIR_FORM_SHEET.PDF.EXE

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre