Source: explorer.exe, 00000001.00000000.1682612462.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1680935365.00000000079FB000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0 |
Source: explorer.exe, 00000001.00000000.1682612462.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1680935365.00000000079FB000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07 |
Source: explorer.exe, 00000001.00000000.1682612462.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1680935365.00000000079FB000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0 |
Source: explorer.exe, 00000001.00000000.1682612462.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1680935365.00000000079FB000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://ocsp.digicert.com0 |
Source: explorer.exe, 00000001.00000000.1680935365.00000000078AD000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di |
Source: explorer.exe, 00000001.00000000.1681678254.0000000007F40000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.1683344877.0000000009B60000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.1682067799.0000000008720000.00000002.00000001.00040000.00000000.sdmp |
String found in binary or memory: http://schemas.micro |
Source: explorer.exe, 00000001.00000000.1684715130.000000000C964000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://www.autoitscript.com/autoit3/J |
Source: explorer.exe, 00000001.00000000.1684715130.000000000C893000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe |
Source: explorer.exe, 00000001.00000000.1680935365.00000000079FB000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: https://aka.ms/Vh5j3k |
Source: explorer.exe, 00000001.00000000.1680935365.00000000079FB000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: https://aka.ms/odirmr |
Source: explorer.exe, 00000001.00000000.1684715130.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: https://android.notify.windows.com/iOS |
Source: explorer.exe, 00000001.00000000.1682612462.00000000097D4000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: https://api.msn.com/ |
Source: explorer.exe, 00000001.00000000.1682612462.00000000097D4000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: https://api.msn.com/q |
Source: explorer.exe, 00000001.00000000.1679822770.0000000001240000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1680269665.0000000003700000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind |
Source: explorer.exe, 00000001.00000000.1682612462.00000000096DF000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?& |
Source: explorer.exe, 00000001.00000000.1680935365.0000000007900000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=0CC40BF291614022B7DF6E2143E8A6AF&timeOut=5000&oc |
Source: explorer.exe, 00000001.00000000.1680935365.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1682612462.00000000097D4000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows? |
Source: explorer.exe, 00000001.00000000.1682612462.00000000096DF000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: https://arc.msn.comi |
Source: explorer.exe, 00000001.00000000.1680935365.0000000007900000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: https://assets.msn.com/staticsb/statics/latest/traffic/Notification/desktop/svg/RoadHazard.svg |
Source: explorer.exe, 00000001.00000000.1680935365.0000000007900000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings |
Source: explorer.exe, 00000001.00000000.1680935365.0000000007900000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehR3S.svg |
Source: explorer.exe, 00000001.00000000.1680935365.0000000007900000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/humidity.svg |
Source: explorer.exe, 00000001.00000000.1680935365.0000000007900000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV |
Source: explorer.exe, 00000001.00000000.1680935365.0000000007900000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark |
Source: explorer.exe, 00000001.00000000.1680935365.00000000078AD000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu |
Source: explorer.exe, 00000001.00000000.1680935365.00000000078AD000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu-dark |
Source: explorer.exe, 00000001.00000000.1680935365.0000000007900000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu |
Source: explorer.exe, 00000001.00000000.1680935365.0000000007900000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu-dark |
Source: explorer.exe, 00000001.00000000.1680935365.0000000007900000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY |
Source: explorer.exe, 00000001.00000000.1680935365.0000000007900000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY-dark |
Source: explorer.exe, 00000001.00000000.1684715130.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: https://excel.office.com |
Source: explorer.exe, 00000001.00000000.1680935365.0000000007900000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15Yat4.img |
Source: explorer.exe, 00000001.00000000.1680935365.0000000007900000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1hlXIY.img |
Source: explorer.exe, 00000001.00000000.1680935365.0000000007900000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAKSoFp.img |
Source: explorer.exe, 00000001.00000000.1680935365.0000000007900000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAXaopi.img |
Source: explorer.exe, 00000001.00000000.1680935365.0000000007900000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAgi0nZ.img |
Source: explorer.exe, 00000001.00000000.1680935365.0000000007900000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBqlLky.img |
Source: explorer.exe, 00000001.00000000.1680935365.00000000078AD000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: https://img.s-msn.com/tenant/amp/entityid/AAbC0oi.img |
Source: explorer.exe, 00000001.00000000.1684715130.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: https://outlook.com_ |
Source: explorer.exe, 00000001.00000000.1684715130.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: https://powerpoint.office.comcember |
Source: explorer.exe, 00000001.00000000.1680935365.0000000007900000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: https://simpleflying.com/how-do-you-become-an-air-traffic-controller/ |
Source: explorer.exe, 00000001.00000000.1680935365.0000000007900000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew |
Source: explorer.exe, 00000001.00000000.1680935365.0000000007900000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew |
Source: explorer.exe, 00000001.00000000.1684715130.000000000C557000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: https://wns.windows.com/L |
Source: explorer.exe, 00000001.00000000.1684715130.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: https://word.office.com |
Source: explorer.exe, 00000001.00000000.1680935365.0000000007900000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: https://www.msn.com/en-us/lifestyle/lifestyle-buzz/biden-makes-decision-that-will-impact-more-than-1 |
Source: explorer.exe, 00000001.00000000.1680935365.0000000007900000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: https://www.msn.com/en-us/lifestyle/travel/i-ve-worked-at-a-campsite-for-5-years-these-are-the-15-mi |
Source: explorer.exe, 00000001.00000000.1680935365.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1680935365.00000000078AD000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/13-states-that-don-t-tax-your-retirement-income/ar-A |
Source: explorer.exe, 00000001.00000000.1680935365.0000000007900000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/no-wonder-the-american-public-is-confused-if-you-re- |
Source: explorer.exe, 00000001.00000000.1680935365.0000000007900000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: https://www.msn.com/en-us/news/politics/clarence-thomas-in-spotlight-as-supreme-court-delivers-blow- |
Source: explorer.exe, 00000001.00000000.1680935365.0000000007900000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: https://www.msn.com/en-us/news/politics/exclusive-john-kelly-goes-on-the-record-to-confirm-several-d |
Source: explorer.exe, 00000001.00000000.1680935365.0000000007900000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: https://www.msn.com/en-us/news/topic/breast%20cancer%20awareness%20month?ocid=winp1headerevent |
Source: explorer.exe, 00000001.00000000.1680935365.0000000007900000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: https://www.msn.com/en-us/news/us/a-nationwide-emergency-alert-will-be-sent-to-all-u-s-cellphones-we |
Source: explorer.exe, 00000001.00000000.1680935365.0000000007900000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: https://www.msn.com/en-us/news/us/metro-officials-still-investigating-friday-s-railcar-derailment/ar |
Source: explorer.exe, 00000001.00000000.1680935365.00000000078AD000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: https://www.msn.com/en-us/news/us/when-does-daylight-saving-time-end-2023-here-s-when-to-set-your-cl |
Source: explorer.exe, 00000001.00000000.1680935365.0000000007900000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: https://www.msn.com/en-us/news/world/agostini-krausz-and-l-huillier-win-physics-nobel-for-looking-at |
Source: explorer.exe, 00000001.00000000.1680935365.0000000007900000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: https://www.msn.com/en-us/weather/topstories/rest-of-hurricane-season-in-uncharted-waters-because-of |
Source: explorer.exe, 00000001.00000000.1680935365.0000000007900000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: https://www.msn.com/en-us/weather/topstories/us-weather-super-el-nino-to-bring-more-flooding-and-win |
Source: explorer.exe, 00000001.00000000.1680935365.0000000007900000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: https://www.msn.com:443/en-us/feed |
Source: explorer.exe, 00000001.00000000.1680935365.0000000007900000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: https://www.rd.com/list/polite-habits-campers-dislike/ |
Source: explorer.exe, 00000001.00000000.1680935365.0000000007900000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: https://www.rd.com/newsletter/?int_source=direct&int_medium=rd.com&int_campaign=nlrda_20221001_toppe |
Source: 00000003.00000002.1941515606.00000000048C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown |
Source: 00000000.00000002.1694254550.0000000002E30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown |
Source: 00000003.00000002.1941531392.00000000048D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown |
Source: 00000000.00000002.1694439425.0000000002E5B000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown |
Source: 00000003.00000002.1941400771.0000000002CDB000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown |
Source: 00000000.00000002.1694736825.00000000048F1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown |
Source: 00000003.00000002.1941606919.0000000004A11000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown |
Source: 00000000.00000002.1694037919.0000000002E20000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown |
Source: C:\Users\user\Desktop\LH27WS7BVJ.exe |
Code function: 0_2_004015A5 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,GlobalAlloc,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, |
0_2_004015A5 |
Source: C:\Users\user\Desktop\LH27WS7BVJ.exe |
Code function: 0_2_00402446 NtQueryInformationProcess, |
0_2_00402446 |
Source: C:\Users\user\Desktop\LH27WS7BVJ.exe |
Code function: 0_2_00402464 NtQuerySystemInformation, |
0_2_00402464 |
Source: C:\Users\user\Desktop\LH27WS7BVJ.exe |
Code function: 0_2_00402421 NtQuerySystemInformation, |
0_2_00402421 |
Source: C:\Users\user\Desktop\LH27WS7BVJ.exe |
Code function: 0_2_004015CD NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,GlobalAlloc,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, |
0_2_004015CD |
Source: C:\Users\user\Desktop\LH27WS7BVJ.exe |
Code function: 0_2_004015D1 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,GlobalAlloc,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, |
0_2_004015D1 |
Source: C:\Users\user\Desktop\LH27WS7BVJ.exe |
Code function: 0_2_004015D4 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,GlobalAlloc,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, |
0_2_004015D4 |
Source: C:\Users\user\Desktop\LH27WS7BVJ.exe |
Code function: 0_2_004015BB NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,GlobalAlloc,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, |
0_2_004015BB |
Source: C:\Users\user\Desktop\LH27WS7BVJ.exe |
Code function: 0_2_004015BF NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,GlobalAlloc,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, |
0_2_004015BF |
Source: 00000003.00000002.1941515606.00000000048C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23 |
Source: 00000000.00000002.1694254550.0000000002E30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23 |
Source: 00000003.00000002.1941531392.00000000048D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23 |
Source: 00000000.00000002.1694439425.0000000002E5B000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12 |
Source: 00000003.00000002.1941400771.0000000002CDB000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12 |
Source: 00000000.00000002.1694736825.00000000048F1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23 |
Source: 00000003.00000002.1941606919.0000000004A11000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23 |
Source: 00000000.00000002.1694037919.0000000002E20000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23 |
Source: C:\Users\user\Desktop\LH27WS7BVJ.exe |
Code function: 0_2_0040284F push eax; ret |
0_2_00402883 |
Source: C:\Users\user\Desktop\LH27WS7BVJ.exe |
Code function: 0_2_00403353 push eax; ret |
0_2_0040336A |
Source: C:\Users\user\Desktop\LH27WS7BVJ.exe |
Code function: 0_2_0040330C push eax; ret |
0_2_0040336A |
Source: C:\Users\user\Desktop\LH27WS7BVJ.exe |
Code function: 0_2_00403313 push eax; ret |
0_2_0040336A |
Source: C:\Users\user\Desktop\LH27WS7BVJ.exe |
Code function: 0_2_00403320 push eax; ret |
0_2_0040336A |
Source: C:\Users\user\Desktop\LH27WS7BVJ.exe |
Code function: 0_2_0040322D push eax; ret |
0_2_0040336A |
Source: C:\Users\user\Desktop\LH27WS7BVJ.exe |
Code function: 0_2_00403338 push eax; ret |
0_2_0040336A |
Source: C:\Users\user\Desktop\LH27WS7BVJ.exe |
Code function: 0_2_004032C3 push eax; ret |
0_2_0040336A |
Source: C:\Users\user\Desktop\LH27WS7BVJ.exe |
Code function: 0_2_00403388 push eax; ret |
0_2_0040336A |
Source: C:\Users\user\Desktop\LH27WS7BVJ.exe |
Code function: 0_2_0040328F push eax; ret |
0_2_0040336A |
Source: C:\Users\user\Desktop\LH27WS7BVJ.exe |
Code function: 0_2_02E22FA5 push esp; iretd |
0_2_02E22FC0 |
Source: C:\Users\user\Desktop\LH27WS7BVJ.exe |
Code function: 0_2_02E228B6 push eax; ret |
0_2_02E228EA |
Source: C:\Users\user\Desktop\LH27WS7BVJ.exe |
Code function: 0_2_02E22F9D push esp; ret |
0_2_02E22FA4 |
Source: C:\Users\user\Desktop\LH27WS7BVJ.exe |
Code function: 0_2_02E23000 push esp; iretd |
0_2_02E22FC0 |
Source: C:\Users\user\Desktop\LH27WS7BVJ.exe |
Code function: 0_2_02E697CA pushfd ; retf |
0_2_02E697CB |
Source: C:\Users\user\Desktop\LH27WS7BVJ.exe |
Code function: 0_2_02E64AC8 push eax; ret |
0_2_02E64AE9 |
Source: C:\Users\user\Desktop\LH27WS7BVJ.exe |
Code function: 0_2_02E64132 push eax; ret |
0_2_02E64166 |
Source: C:\Users\user\Desktop\LH27WS7BVJ.exe |
Code function: 0_2_02E6381F push ebp; ret |
0_2_02E63829 |
Source: C:\Users\user\Desktop\LH27WS7BVJ.exe |
Code function: 0_2_02E6471B pushad ; iretd |
0_2_02E6472F |
Source: C:\Users\user\AppData\Roaming\wtftrbr |
Code function: 3_2_02CE3B8A push eax; ret |
3_2_02CE3BBE |
Source: C:\Users\user\AppData\Roaming\wtftrbr |
Code function: 3_2_02CE3277 push ebp; ret |
3_2_02CE3281 |
Source: C:\Users\user\AppData\Roaming\wtftrbr |
Code function: 3_2_02CE4173 pushad ; iretd |
3_2_02CE4187 |
Source: C:\Users\user\AppData\Roaming\wtftrbr |
Code function: 3_2_02CE9222 pushfd ; retf |
3_2_02CE9223 |
Source: C:\Users\user\AppData\Roaming\wtftrbr |
Code function: 3_2_02CE4520 push eax; ret |
3_2_02CE4541 |
Source: C:\Users\user\AppData\Roaming\wtftrbr |
Code function: 3_2_048C2F9D push esp; ret |
3_2_048C2FA4 |
Source: C:\Users\user\AppData\Roaming\wtftrbr |
Code function: 3_2_048C2FA5 push esp; iretd |
3_2_048C2FC0 |
Source: C:\Users\user\AppData\Roaming\wtftrbr |
Code function: 3_2_048C28B6 push eax; ret |
3_2_048C28EA |
Source: C:\Users\user\AppData\Roaming\wtftrbr |
Code function: 3_2_048C3000 push esp; iretd |
3_2_048C2FC0 |
Source: explorer.exe, 00000001.00000000.1683181405.00000000098A8000.00000004.00000001.00020000.00000000.sdmp |
Binary or memory string: k&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000 |
Source: explorer.exe, 00000001.00000000.1682612462.0000000009815000.00000004.00000001.00020000.00000000.sdmp |
Binary or memory string: NECVMWar VMware SATA CD00\w |
Source: explorer.exe, 00000001.00000000.1680935365.00000000078A0000.00000004.00000001.00020000.00000000.sdmp |
Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}$ |
Source: explorer.exe, 00000001.00000000.1683181405.00000000098A8000.00000004.00000001.00020000.00000000.sdmp |
Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000 |
Source: explorer.exe, 00000001.00000000.1679822770.0000000001240000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&0000000} |
Source: explorer.exe, 00000001.00000000.1683181405.0000000009977000.00000004.00000001.00020000.00000000.sdmp |
Binary or memory string: VMware SATA CD00 |
Source: explorer.exe, 00000001.00000000.1680935365.00000000078AD000.00000004.00000001.00020000.00000000.sdmp |
Binary or memory string: NXTTAVMWare |
Source: explorer.exe, 00000001.00000000.1682612462.0000000009815000.00000004.00000001.00020000.00000000.sdmp |
Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f&0&000000 |
Source: explorer.exe, 00000001.00000000.1682612462.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1682612462.00000000097D4000.00000004.00000001.00020000.00000000.sdmp |
Binary or memory string: Hyper-V RAW |
Source: explorer.exe, 00000001.00000000.1683181405.0000000009977000.00000004.00000001.00020000.00000000.sdmp |
Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000 |
Source: explorer.exe, 00000001.00000000.1680935365.0000000007A34000.00000004.00000001.00020000.00000000.sdmp |
Binary or memory string: Hyper-V RAWen-GBnx |
Source: explorer.exe, 00000001.00000000.1682612462.0000000009660000.00000004.00000001.00020000.00000000.sdmp |
Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000er |
Source: explorer.exe, 00000001.00000000.1679822770.0000000001240000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000 |
Source: explorer.exe, 00000001.00000000.1679822770.0000000001240000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} |