Source: C:\Users\user\Desktop\cnaniAxghZ.exe |
Code function: 0_2_00074696 GetFileAttributesW,FindFirstFileW,FindClose, |
0_2_00074696 |
Source: C:\Users\user\Desktop\cnaniAxghZ.exe |
Code function: 0_2_0007C93C FindFirstFileW,FindClose, |
0_2_0007C93C |
Source: C:\Users\user\Desktop\cnaniAxghZ.exe |
Code function: 0_2_0007C9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf, |
0_2_0007C9C7 |
Source: C:\Users\user\Desktop\cnaniAxghZ.exe |
Code function: 0_2_0007F200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, |
0_2_0007F200 |
Source: C:\Users\user\Desktop\cnaniAxghZ.exe |
Code function: 0_2_0007F35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, |
0_2_0007F35D |
Source: C:\Users\user\Desktop\cnaniAxghZ.exe |
Code function: 0_2_0007F65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose, |
0_2_0007F65E |
Source: C:\Users\user\Desktop\cnaniAxghZ.exe |
Code function: 0_2_00073A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, |
0_2_00073A2B |
Source: C:\Users\user\Desktop\cnaniAxghZ.exe |
Code function: 0_2_00073D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, |
0_2_00073D4E |
Source: C:\Users\user\Desktop\cnaniAxghZ.exe |
Code function: 0_2_0007BF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose, |
0_2_0007BF27 |
Source: C:\Users\user\AppData\Local\directory\name.exe |
Code function: 5_2_00104696 GetFileAttributesW,FindFirstFileW,FindClose, |
5_2_00104696 |
Source: C:\Users\user\AppData\Local\directory\name.exe |
Code function: 5_2_0010C93C FindFirstFileW,FindClose, |
5_2_0010C93C |
Source: C:\Users\user\AppData\Local\directory\name.exe |
Code function: 5_2_0010C9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf, |
5_2_0010C9C7 |
Source: C:\Users\user\AppData\Local\directory\name.exe |
Code function: 5_2_0010F200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, |
5_2_0010F200 |
Source: C:\Users\user\AppData\Local\directory\name.exe |
Code function: 5_2_0010F35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, |
5_2_0010F35D |
Source: C:\Users\user\AppData\Local\directory\name.exe |
Code function: 5_2_0010F65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose, |
5_2_0010F65E |
Source: C:\Users\user\AppData\Local\directory\name.exe |
Code function: 5_2_00103A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, |
5_2_00103A2B |
Source: C:\Users\user\AppData\Local\directory\name.exe |
Code function: 5_2_00103D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, |
5_2_00103D4E |
Source: C:\Users\user\AppData\Local\directory\name.exe |
Code function: 5_2_0010BF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose, |
5_2_0010BF27 |
Source: C:\Windows\SysWOW64\svchost.exe |
Code function: 6_2_00409253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose, |
6_2_00409253 |
Source: C:\Windows\SysWOW64\svchost.exe |
Code function: 6_2_0041C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose, |
6_2_0041C291 |
Source: C:\Windows\SysWOW64\svchost.exe |
Code function: 6_2_0040C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose, |
6_2_0040C34D |
Source: C:\Windows\SysWOW64\svchost.exe |
Code function: 6_2_00409665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose, |
6_2_00409665 |
Source: C:\Windows\SysWOW64\svchost.exe |
Code function: 6_2_0040880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose, |
6_2_0040880C |
Source: C:\Windows\SysWOW64\svchost.exe |
Code function: 6_2_0040783C FindFirstFileW,FindNextFileW, |
6_2_0040783C |
Source: C:\Windows\SysWOW64\svchost.exe |
Code function: 6_2_00419AF5 FindFirstFileW,FindNextFileW,FindNextFileW, |
6_2_00419AF5 |
Source: C:\Windows\SysWOW64\svchost.exe |
Code function: 6_2_0040BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose, |
6_2_0040BB30 |
Source: C:\Windows\SysWOW64\svchost.exe |
Code function: 6_2_0040BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose, |
6_2_0040BD37 |
Source: C:\Windows\SysWOW64\svchost.exe |
Code function: 7_2_0040AE51 FindFirstFileW,FindNextFileW, |
7_2_0040AE51 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 107.175.229.139 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 107.175.229.139 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 107.175.229.139 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 107.175.229.139 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 107.175.229.139 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 107.175.229.139 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 107.175.229.139 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 107.175.229.139 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 107.175.229.139 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 107.175.229.139 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 107.175.229.139 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 107.175.229.139 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 107.175.229.139 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 107.175.229.139 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 107.175.229.139 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 107.175.229.139 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 107.175.229.139 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 107.175.229.139 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 107.175.229.139 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 107.175.229.139 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 107.175.229.139 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 107.175.229.139 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 107.175.229.139 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 107.175.229.139 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 107.175.229.139 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 107.175.229.139 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 107.175.229.139 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 107.175.229.139 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 107.175.229.139 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 107.175.229.139 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 107.175.229.139 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 107.175.229.139 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 107.175.229.139 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 107.175.229.139 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 107.175.229.139 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 107.175.229.139 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 107.175.229.139 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 107.175.229.139 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 107.175.229.139 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 107.175.229.139 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 107.175.229.139 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 107.175.229.139 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 107.175.229.139 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 107.175.229.139 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 107.175.229.139 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 107.175.229.139 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 107.175.229.139 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 107.175.229.139 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 107.175.229.139 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 107.175.229.139 |
Source: svchost.exe, 00000006.00000002.2878530155.0000000005D20000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 00000009.00000002.2854252619.0000000000400000.00000040.80000000.00040000.00000000.sdmp |
String found in binary or memory: Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users%s\Loginprpl-msnprpl-yahooprpl-jabberprpl-novellprpl-oscarprpl-ggprpl-ircaccounts.xmlaimaim_1icqicq_1jabberjabber_1msnmsn_1yahoogggg_1http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com equals www.ebuddy.com (eBuggy) |
Source: svchost.exe, 00000006.00000002.2878530155.0000000005D20000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 00000009.00000002.2854252619.0000000000400000.00000040.80000000.00040000.00000000.sdmp |
String found in binary or memory: http://www.ebuddy.com equals www.ebuddy.com (eBuggy) |
Source: svchost.exe |
String found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook) |
Source: svchost.exe, 00000007.00000003.2864837706.0000000003144000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=2057&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srffile:///C:/Windows/system32/oobe/FirstLogonAnim.htmlfile://192.168.2.1/all/install/setup.au3file://192.168.2.1/all/ProfessionalRetail.imgfile://192.168.2.1/all/Professional2019Retail.imghttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook) |
Source: svchost.exe, 00000007.00000003.2864837706.0000000003144000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=2057&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srffile:///C:/Windows/system32/oobe/FirstLogonAnim.htmlfile://192.168.2.1/all/install/setup.au3file://192.168.2.1/all/ProfessionalRetail.imgfile://192.168.2.1/all/Professional2019Retail.imghttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo) |
Source: bhv5230.tmp.7.dr |
String found in binary or memory: pop-lva1.www.linkedin.com equals www.linkedin.com (Linkedin) |
Source: bhv5230.tmp.7.dr |
String found in binary or memory: pop-lva1.www.linkedin.com0 equals www.linkedin.com (Linkedin) |
Source: svchost.exe, 00000007.00000003.2868404025.0000000003144000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: tps://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=2057&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srffile:///C:/Windows/system32/oobe/FirstLogonAnim.htmlfile://192.168.2.1/all/install/setup.au3file://192.168.2.1/all/ProfessionalRetail.imgfile://192.168.2.1/all/Professional2019Retail.imghttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook) |
Source: svchost.exe, 00000007.00000003.2868404025.0000000003144000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: tps://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=2057&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srffile:///C:/Windows/system32/oobe/FirstLogonAnim.htmlfile://192.168.2.1/all/install/setup.au3file://192.168.2.1/all/ProfessionalRetail.imgfile://192.168.2.1/all/Professional2019Retail.imghttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo) |
Source: svchost.exe, 00000006.00000002.2877948678.00000000050C0000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 00000007.00000002.2868513015.0000000000400000.00000040.80000000.00040000.00000000.sdmp |
String found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.facebook.com (Facebook) |
Source: svchost.exe, 00000006.00000002.2877948678.00000000050C0000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 00000007.00000002.2868513015.0000000000400000.00000040.80000000.00040000.00000000.sdmp |
String found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.yahoo.com (Yahoo) |
Source: bhv5230.tmp.7.dr |
String found in binary or memory: http://cacerts.digicert.com/DigiCertCloudServicesCA-1.crt0 |
Source: bhv5230.tmp.7.dr |
String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0 |
Source: bhv5230.tmp.7.dr |
String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B |
Source: bhv5230.tmp.7.dr |
String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0 |
Source: bhv5230.tmp.7.dr |
String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0B |
Source: bhv5230.tmp.7.dr |
String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG3.crt0 |
Source: bhv5230.tmp.7.dr |
String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA-2.crt0 |
Source: bhv5230.tmp.7.dr |
String found in binary or memory: http://cacerts.digicert.com/DigiCertTLSRSASHA2562020CA1-1.crt0 |
Source: bhv5230.tmp.7.dr |
String found in binary or memory: http://cacerts.digicert.com/GeoTrustGlobalTLSRSA4096SHA2562022CA1.crt0 |
Source: bhv5230.tmp.7.dr |
String found in binary or memory: http://crl3.digicert.com/DigiCertCloudServicesCA-1-g1.crl0? |
Source: bhv5230.tmp.7.dr |
String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07 |
Source: bhv5230.tmp.7.dr |
String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0= |
Source: bhv5230.tmp.7.dr |
String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0 |
Source: bhv5230.tmp.7.dr |
String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07 |
Source: bhv5230.tmp.7.dr |
String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG3.crl07 |
Source: bhv5230.tmp.7.dr |
String found in binary or memory: http://crl3.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0 |
Source: bhv5230.tmp.7.dr |
String found in binary or memory: http://crl3.digicert.com/DigicertSHA2SecureServerCA-1.crl0? |
Source: bhv5230.tmp.7.dr |
String found in binary or memory: http://crl3.digicert.com/GeoTrustGlobalTLSRSA4096SHA2562022CA1.crl0H |
Source: bhv5230.tmp.7.dr |
String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0 |
Source: bhv5230.tmp.7.dr |
String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0= |
Source: bhv5230.tmp.7.dr |
String found in binary or memory: http://crl4.digicert.com/DigiCertCloudServicesCA-1-g1.crl0 |
Source: bhv5230.tmp.7.dr |
String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00 |
Source: bhv5230.tmp.7.dr |
String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0 |
Source: bhv5230.tmp.7.dr |
String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG3.crl0 |
Source: bhv5230.tmp.7.dr |
String found in binary or memory: http://crl4.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0 |
Source: bhv5230.tmp.7.dr |
String found in binary or memory: http://crl4.digicert.com/DigicertSHA2SecureServerCA-1.crl0 |
Source: bhv5230.tmp.7.dr |
String found in binary or memory: http://crl4.digicert.com/DigicertSHA2SecureServerCA-1.crl0~ |
Source: bhv5230.tmp.7.dr |
String found in binary or memory: http://crl4.digicert.com/GeoTrustGlobalTLSRSA4096SHA2562022CA1.crl0 |
Source: svchost.exe, 00000006.00000002.2877479755.0000000003077000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.2877334638.0000000003068000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.2840816406.0000000003068000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.2841755060.0000000003068000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.2877257882.0000000003012000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.2877524808.000000000308A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000003.2839396466.0000000003068000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://geoplugin.net/json.gp |
Source: name.exe, 00000005.00000002.2821566748.0000000003F20000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.2876639458.0000000000400000.00000040.80000000.00040000.00000000.sdmp |
String found in binary or memory: http://geoplugin.net/json.gp/C |
Source: svchost.exe, 00000006.00000002.2877479755.0000000003077000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://geoplugin.net/json.gpSystem32 |
Source: bhv5230.tmp.7.dr |
String found in binary or memory: http://ocsp.digicert.com0 |
Source: bhv5230.tmp.7.dr |
String found in binary or memory: http://ocsp.digicert.com0: |
Source: bhv5230.tmp.7.dr |
String found in binary or memory: http://ocsp.digicert.com0H |
Source: bhv5230.tmp.7.dr |
String found in binary or memory: http://ocsp.digicert.com0I |
Source: bhv5230.tmp.7.dr |
String found in binary or memory: http://ocsp.digicert.com0Q |
Source: bhv5230.tmp.7.dr |
String found in binary or memory: http://ocsp.msocsp.com0 |
Source: bhv5230.tmp.7.dr |
String found in binary or memory: http://ocsp.msocsp.com0S |
Source: bhv5230.tmp.7.dr |
String found in binary or memory: http://ocspx.digicert.com0E |
Source: bhv5230.tmp.7.dr |
String found in binary or memory: http://www.digicert.com/CPS0 |
Source: bhv5230.tmp.7.dr |
String found in binary or memory: http://www.digicert.com/CPS0~ |
Source: svchost.exe, 00000006.00000002.2878530155.0000000005D20000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 00000009.00000002.2854252619.0000000000400000.00000040.80000000.00040000.00000000.sdmp |
String found in binary or memory: http://www.ebuddy.com |
Source: svchost.exe, 00000006.00000002.2878530155.0000000005D20000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 00000009.00000002.2854252619.0000000000400000.00000040.80000000.00040000.00000000.sdmp |
String found in binary or memory: http://www.imvu.com |
Source: svchost.exe, 00000006.00000002.2878530155.0000000005D20000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 00000009.00000002.2854252619.0000000000400000.00000040.80000000.00040000.00000000.sdmp |
String found in binary or memory: http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com |
Source: svchost.exe, 00000006.00000002.2878530155.0000000005D20000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 00000009.00000002.2854252619.0000000000400000.00000040.80000000.00040000.00000000.sdmp |
String found in binary or memory: http://www.imvu.comr |
Source: bhv5230.tmp.7.dr |
String found in binary or memory: http://www.msftconnecttest.com/connecttest.txt?n=1696334965379 |
Source: svchost.exe, 00000007.00000002.2868756077.00000000009B3000.00000004.00000010.00020000.00000000.sdmp |
String found in binary or memory: http://www.nirsoft.net |
Source: svchost.exe, 00000009.00000002.2854252619.0000000000400000.00000040.80000000.00040000.00000000.sdmp |
String found in binary or memory: http://www.nirsoft.net/ |
Source: bhv5230.tmp.7.dr |
String found in binary or memory: https://18a72a1f5c7b170c6cc0a459d463264e.azr.footprintdns.com/apc/trans.gif?18b635b804a8d6ad0a1fa437 |
Source: bhv5230.tmp.7.dr |
String found in binary or memory: https://18a72a1f5c7b170c6cc0a459d463264e.azr.footprintdns.com/apc/trans.gif?c9b5e9d2b836931c8ddd4e8d |
Source: bhv5230.tmp.7.dr |
String found in binary or memory: https://4c4f378c706610974da9cb9d99fe3116.azr.footprintdns.com/apc/trans.gif?1c89d9658c6af83a02d98b03 |
Source: bhv5230.tmp.7.dr |
String found in binary or memory: https://4c4f378c706610974da9cb9d99fe3116.azr.footprintdns.com/apc/trans.gif?74b620657ac570f7999e6ad7 |
Source: bhv5230.tmp.7.dr |
String found in binary or memory: https://58293426822f9aaf9d7c729f28294583.azr.footprintdns.com/apc/trans.gif?cf2d8bf3b68a3e37eef992d5 |
Source: bhv5230.tmp.7.dr |
String found in binary or memory: https://58293426822f9aaf9d7c729f28294583.azr.footprintdns.com/apc/trans.gif?fc66b8a78ab7a1394f56e742 |
Source: bhv5230.tmp.7.dr |
String found in binary or memory: https://86dd05e6f545b5502aade4a1946d3e9d.azr.footprintdns.com/apc/trans.gif?66601c3b572f284b9da07fcc |
Source: bhv5230.tmp.7.dr |
String found in binary or memory: https://86dd05e6f545b5502aade4a1946d3e9d.azr.footprintdns.com/apc/trans.gif?f67d919da1a9ba8a5672367d |
Source: bhv5230.tmp.7.dr |
String found in binary or memory: https://M365CDN.nel.measure.office.net/api/report?FrontEnd=VerizonCDNWorldWide&DestinationEndpoint=W |
Source: bhv5230.tmp.7.dr |
String found in binary or memory: https://acae307a6acdd4e64531be6276770618.azr.footprintdns.com/apc/trans.gif?467894188c5d788807342326 |
Source: bhv5230.tmp.7.dr |
String found in binary or memory: https://acae307a6acdd4e64531be6276770618.azr.footprintdns.com/apc/trans.gif?a176b93f037f93b5720edf68 |
Source: bhv5230.tmp.7.dr |
String found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingaot |
Source: bhv5230.tmp.7.dr |
String found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingaotak |
Source: bhv5230.tmp.7.dr |
String found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingrms |
Source: bhv5230.tmp.7.dr |
String found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingth |
Source: bhv5230.tmp.7.dr |
String found in binary or memory: https://aefd.nelreports.net/api/report?cat=wsb |
Source: bhv5230.tmp.7.dr |
String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind |
Source: bhv5230.tmp.7.dr |
String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehR3S.svg |
Source: bhv5230.tmp.7.dr |
String found in binary or memory: https://config.edge.skype.com/config/v1/ODSP_Sync_Client/19.043.0304.0013?UpdateRing=Prod&OS=Win&OSV |
Source: bhv5230.tmp.7.dr |
String found in binary or memory: https://config.edge.skype.com/config/v1/Skype/1446_8.53.0.77?OSVer=10.0.19045.2006&ClientID=RHTiQUpX |
Source: bhv5230.tmp.7.dr |
String found in binary or memory: https://cxcs.microsoft.net/api/settings/en-GB/xml/settings-tipset?release=20h1&sku=Professional&plat |
Source: bhv5230.tmp.7.dr |
String found in binary or memory: https://deff.nelreports.net/api/report?cat=msn |
Source: bhv5230.tmp.7.dr |
String found in binary or memory: https://ecs.nel.measure.office.net?TenantId=ODSP_Sync_Client&DestinationEndpoint=Edge-Prod-BL2r8e&Fr |
Source: bhv5230.tmp.7.dr |
String found in binary or memory: https://ecs.nel.measure.office.net?TenantId=ODSP_Sync_Client&DestinationEndpoint=Edge-Prod-BLUr5a&Fr |
Source: bhv5230.tmp.7.dr |
String found in binary or memory: https://ecs.nel.measure.office.net?TenantId=Skype&DestinationEndpoint=Edge-Prod-BL2r8e&FrontEnd=AFD |
Source: bhv5230.tmp.7.dr |
String found in binary or memory: https://fp-afd-nocache-ccp.azureedge.net/apc/trans.gif?99bdaa7641aea1439604d0afe8971477 |
Source: bhv5230.tmp.7.dr |
String found in binary or memory: https://fp-afd-nocache-ccp.azureedge.net/apc/trans.gif?bc7d158a1b0c0bcddb88a222b6122bda |
Source: bhv5230.tmp.7.dr |
String found in binary or memory: https://fp-afdx-bpdee4gtg6frejfd.z01.azurefd.net/apc/trans.gif?60caefc8ca640843bccad421cfaadcc8 |
Source: bhv5230.tmp.7.dr |
String found in binary or memory: https://fp-afdx-bpdee4gtg6frejfd.z01.azurefd.net/apc/trans.gif?a9bddedb22fa9ee1d455a5d5a89b950c |
Source: bhv5230.tmp.7.dr |
String found in binary or memory: https://fp-vp-nocache.azureedge.net/apc/trans.gif?4be9f57fdbd89d63c136fa90032d1d91 |
Source: bhv5230.tmp.7.dr |
String found in binary or memory: https://fp-vp-nocache.azureedge.net/apc/trans.gif?e5772e13592c9d33c9159aed24f891a7 |
Source: bhv5230.tmp.7.dr |
String found in binary or memory: https://fp-vp.azureedge.net/apc/trans.gif?a6aceac28fb5ae421a73cab7cdd76bd8 |
Source: bhv5230.tmp.7.dr |
String found in binary or memory: https://fp-vp.azureedge.net/apc/trans.gif?b57fe5cd49060a950d25a1d237496815 |
Source: bhv5230.tmp.7.dr |
String found in binary or memory: https://fp-vs-nocache.azureedge.net/apc/trans.gif?2f6c563d6db8702d4f61cfc28e14d6ba |
Source: bhv5230.tmp.7.dr |
String found in binary or memory: https://fp-vs-nocache.azureedge.net/apc/trans.gif?3dacce210479f0b4d47ed33c21160712 |
Source: bhv5230.tmp.7.dr |
String found in binary or memory: https://fp-vs-nocache.azureedge.net/apc/trans.gif?7e0e9c3a9f02f17275e789accf11532b |
Source: bhv5230.tmp.7.dr |
String found in binary or memory: https://fp-vs-nocache.azureedge.net/apc/trans.gif?81f59f7d566abbd2077a5b6cdfd04c7b |
Source: bhv5230.tmp.7.dr |
String found in binary or memory: https://fp-vs.azureedge.net/apc/trans.gif?3c5bdbf226e2549812723f51b8fe2023 |
Source: bhv5230.tmp.7.dr |
String found in binary or memory: https://fp-vs.azureedge.net/apc/trans.gif?c50299ad5b45bb3d4c7a57024998a291 |
Source: bhv5230.tmp.7.dr |
String found in binary or memory: https://fp.msedge.net/conf/v2/asgw/fpconfig.min.json?monitorId=asgw |
Source: bhv5230.tmp.7.dr |
String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com: |
Source: bhv5230.tmp.7.dr |
String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033 |
Source: svchost.exe, 00000007.00000003.2868404025.0000000003144000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfhttps://login.liv |
Source: bhv5230.tmp.7.dr |
String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live |
Source: bhv5230.tmp.7.dr |
String found in binary or memory: https://login.microsoftonline.com/common/oauth2/authorize?response_type=code&client_id=d3590ed6-52b3 |
Source: bhv5230.tmp.7.dr |
String found in binary or memory: https://login.windows.net/common/oauth2/authorize?response_type=code&client_id=d3590ed6-52b3-4102-ae |
Source: svchost.exe |
String found in binary or memory: https://login.yahoo.com/config/login |
Source: bhv5230.tmp.7.dr |
String found in binary or memory: https://logincdn.msauth.net/16.000/Converged_v22057_4HqSCTf5FFStBMz0_eIqyA2.css |
Source: bhv5230.tmp.7.dr |
String found in binary or memory: https://logincdn.msauth.net/16.000/Converged_v22057_sKiljltKC1Ne_Y3fl1HuHQ2.css |
Source: bhv5230.tmp.7.dr |
String found in binary or memory: https://logincdn.msauth.net/16.000/content/js/ConvergedLoginPaginatedStrings.en-gb_BxKM4IRLudkIao5qo |
Source: bhv5230.tmp.7.dr |
String found in binary or memory: https://logincdn.msauth.net/16.000/content/js/ConvergedLoginPaginatedStrings.en-gb_RP-iR89BipE4i7ZOq |
Source: bhv5230.tmp.7.dr |
String found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/js/ConvergedLogin_PCore_AI1nyU_u3YQ_at1fSBm4Uw2.js |
Source: bhv5230.tmp.7.dr |
String found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/js/ConvergedLogin_PCore_tSc0Su-bb7Jt0QVuF6v9Cg2.js |
Source: bhv5230.tmp.7.dr |
String found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/js/oneDs_f2e0f4a029670f10d892.js |
Source: bhv5230.tmp.7.dr |
String found in binary or memory: https://maps.windows.com/windows-app-web-link |
Source: bhv5230.tmp.7.dr |
String found in binary or memory: https://oneclient.sfx.ms/PreSignInSettings/Prod/2022-09-17-00-05-23/PreSignInSettingsConfig.json?One |
Source: bhv5230.tmp.7.dr |
String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/update100.xml?OneDriveUpdate=27ff908e89d7b6264fde |
Source: bhv5230.tmp.7.dr |
String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/dfb21df16475d4e5b2b0ba41e6c4e842c100b150.xml?OneDriveUpdate=586ba6 |
Source: bhv5230.tmp.7.dr |
String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/dfb21df16475d4e5b2b0ba41e6c4e842c100b150.xml?OneDriveUpdate=7ccb04 |
Source: bhv5230.tmp.7.dr |
String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/dfb21df16475d4e5b2b0ba41e6c4e842c100b150.xml?OneDriveUpdate=b1ed69 |
Source: bhv5230.tmp.7.dr |
String found in binary or memory: https://ow1.res.office365.com/apc/trans.gif?17a81fd4cdc7fc73a2b4cf5b67ff816d |
Source: bhv5230.tmp.7.dr |
String found in binary or memory: https://ow1.res.office365.com/apc/trans.gif?29331761644ba41ebf9abf96ecc6fbad |
Source: bhv5230.tmp.7.dr |
String found in binary or memory: https://ow1.res.office365.com/apc/trans.gif?2f153f40414852a5ead98f4103d563a8 |
Source: bhv5230.tmp.7.dr |
String found in binary or memory: https://ow1.res.office365.com/apc/trans.gif?a50e32ebd978eda4d21928b1dbc78135 |
Source: bhv5230.tmp.7.dr |
String found in binary or memory: https://res.cdn.office.net/officehub/bundles/ew-preload-inline-2523c8c1505f1172be19.js |
Source: bhv5230.tmp.7.dr |
String found in binary or memory: https://res.cdn.office.net/officehub/bundles/otel-logger-104bffe9378b8041455c.js |
Source: bhv5230.tmp.7.dr |
String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-35de8a913e.css |
Source: bhv5230.tmp.7.dr |
String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-async-styles.a903b7d0ab82e5bd2f8a.chunk.v7.css |
Source: bhv5230.tmp.7.dr |
String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bootstrap-5e7af218e953d095fabf.js |
Source: bhv5230.tmp.7.dr |
String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bundle-0debb885be07c402c948.js |
Source: bhv5230.tmp.7.dr |
String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bundle-994d8943fc9264e2f8d3.css |
Source: bhv5230.tmp.7.dr |
String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-fluent~left-nav-rc.ec3581b6c9e6e9985aa7.chunk.v7.js |
Source: bhv5230.tmp.7.dr |
String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-forms-group~mru~officeforms-group-forms~officeforms |
Source: bhv5230.tmp.7.dr |
String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-left-nav-rc.6c288f9aff9797959103.chunk.v7.js |
Source: bhv5230.tmp.7.dr |
String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-mru.9ba2d4c9e339ba497e10.chunk.v7.js |
Source: bhv5230.tmp.7.dr |
String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendor-bundle-1652fd8b358d589e6ec0.js |
Source: bhv5230.tmp.7.dr |
String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendors~left-nav-rc.52c45571d19ede0a7005.chunk.v7.j |
Source: bhv5230.tmp.7.dr |
String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendors~left-nav-rc.d918c7fc33e22b41b936.chunk.v7.c |
Source: bhv5230.tmp.7.dr |
String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwaunauth-9d8bc214ac.css |
Source: bhv5230.tmp.7.dr |
String found in binary or memory: https://res.cdn.office.net/officehub/bundles/sharedfontstyles-27fa2598d8.css |
Source: bhv5230.tmp.7.dr |
String found in binary or memory: https://res.cdn.office.net/officehub/bundles/sharedscripts-939520eada.js |
Source: bhv5230.tmp.7.dr |
String found in binary or memory: https://res.cdn.office.net/officehub/bundles/staticpwascripts-30998bff8f.js |
Source: bhv5230.tmp.7.dr |
String found in binary or memory: https://res.cdn.office.net/officehub/bundles/staticstylesfabric-35c34b95e3.css |
Source: bhv5230.tmp.7.dr |
String found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/hero-image-desktop-f6720a4145.jpg |
Source: bhv5230.tmp.7.dr |
String found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/lockup-mslogo-color-78c06e8898.png |
Source: bhv5230.tmp.7.dr |
String found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/microsoft-365-logo-01d5ecd01a.png |
Source: bhv5230.tmp.7.dr |
String found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/unauth-apps-image-46596a6856.png |
Source: bhv5230.tmp.7.dr |
String found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/unauth-checkmark-image-1999f0bf81.png |
Source: bhv5230.tmp.7.dr |
String found in binary or memory: https://res.cdn.office.net/officehub/versionless/officehome/thirdpartynotice.html |
Source: bhv5230.tmp.7.dr |
String found in binary or memory: https://res.cdn.office.net/officehub/versionless/webfonts/segoeui_regular.woff2 |
Source: bhv5230.tmp.7.dr |
String found in binary or memory: https://res.cdn.office.net/officehub/versionless/webfonts/segoeui_semibold.woff2 |
Source: bhv5230.tmp.7.dr |
String found in binary or memory: https://rum8.perf.linkedin.com/apc/trans.gif?690daf9375f3d267a5b7b08fbc174993 |
Source: bhv5230.tmp.7.dr |
String found in binary or memory: https://rum8.perf.linkedin.com/apc/trans.gif?fe61b216ccbcc1bca02cb20f2e94fb51 |
Source: bhv5230.tmp.7.dr |
String found in binary or memory: https://sin06prdapp01-canary-opaph.netmon.azure.com/apc/trans.gif?909b77fc750668f20e07288ff0ed43e2 |
Source: bhv5230.tmp.7.dr |
String found in binary or memory: https://sin06prdapp01-canary-opaph.netmon.azure.com/apc/trans.gif?c6931b9e725f95cf9c20849dd6498c59 |
Source: bhv5230.tmp.7.dr |
String found in binary or memory: https://www.digicert.com/CPS0 |
Source: svchost.exe, 00000006.00000002.2878530155.0000000005D20000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 00000009.00000002.2854252619.0000000000400000.00000040.80000000.00040000.00000000.sdmp |
String found in binary or memory: https://www.google.com |
Source: svchost.exe |
String found in binary or memory: https://www.google.com/accounts/servicelogin |
Source: bhv5230.tmp.7.dr |
String found in binary or memory: https://www.office.com/ |
Source: C:\Users\user\Desktop\cnaniAxghZ.exe |
Code function: 0_2_00084458 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard, |
0_2_00084458 |
Source: C:\Users\user\AppData\Local\directory\name.exe |
Code function: 5_2_00114458 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard, |
5_2_00114458 |
Source: C:\Windows\SysWOW64\svchost.exe |
Code function: 6_2_004168C1 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard, |
6_2_004168C1 |
Source: C:\Windows\SysWOW64\svchost.exe |
Code function: 7_2_0040987A EmptyClipboard,wcslen,GlobalAlloc,GlobalFix,memcpy,GlobalUnWire,SetClipboardData,CloseClipboard, |
7_2_0040987A |
Source: C:\Windows\SysWOW64\svchost.exe |
Code function: 7_2_004098E2 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalFix,ReadFile,GlobalUnWire,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard, |
7_2_004098E2 |
Source: C:\Users\user\Desktop\cnaniAxghZ.exe |
Code function: 0_2_0009CDAC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW, |
0_2_0009CDAC |
Source: C:\Users\user\AppData\Local\directory\name.exe |
Code function: 5_2_0012CDAC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW, |
5_2_0012CDAC |
Source: 6.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 6.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Author: unknown |
Source: 6.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen |
Source: 6.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 6.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Author: unknown |
Source: 6.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen |
Source: 5.2.name.exe.3f20000.1.raw.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 5.2.name.exe.3f20000.1.raw.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Author: unknown |
Source: 5.2.name.exe.3f20000.1.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen |
Source: 5.2.name.exe.3f20000.1.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 5.2.name.exe.3f20000.1.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Author: unknown |
Source: 5.2.name.exe.3f20000.1.unpack, type: UNPACKEDPE |
Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen |
Source: 00000006.00000002.2876639458.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 00000006.00000002.2876639458.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY |
Matched rule: REMCOS_RAT_variants Author: unknown |
Source: 00000006.00000002.2876639458.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY |
Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen |
Source: 00000005.00000002.2821566748.0000000003F20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 00000005.00000002.2821566748.0000000003F20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: REMCOS_RAT_variants Author: unknown |
Source: 00000005.00000002.2821566748.0000000003F20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen |
Source: Process Memory Space: name.exe PID: 8048, type: MEMORYSTR |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: Process Memory Space: svchost.exe PID: 8084, type: MEMORYSTR |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: C:\Users\user\Desktop\cnaniAxghZ.exe |
Code function: This is a third-party compiled AutoIt script. |
0_2_00013B4C |
Source: cnaniAxghZ.exe |
String found in binary or memory: This is a third-party compiled AutoIt script. |
|
Source: cnaniAxghZ.exe, 00000000.00000000.1620231758.00000000000C5000.00000002.00000001.01000000.00000003.sdmp |
String found in binary or memory: This is a third-party compiled AutoIt script. |
memstr_2bb9372d-e |
Source: cnaniAxghZ.exe, 00000000.00000000.1620231758.00000000000C5000.00000002.00000001.01000000.00000003.sdmp |
String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer |
memstr_4c7fb676-b |
Source: cnaniAxghZ.exe, 00000000.00000003.2795789078.0000000003CA5000.00000004.00001000.00020000.00000000.sdmp |
String found in binary or memory: This is a third-party compiled AutoIt script. |
memstr_4522a80f-f |
Source: cnaniAxghZ.exe, 00000000.00000003.2795789078.0000000003CA5000.00000004.00001000.00020000.00000000.sdmp |
String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer |
memstr_1302d4fb-d |
Source: C:\Users\user\AppData\Local\directory\name.exe |
Code function: This is a third-party compiled AutoIt script. |
5_2_000A3B4C |
Source: name.exe |
String found in binary or memory: This is a third-party compiled AutoIt script. |
|
Source: name.exe, 00000005.00000000.2809555856.0000000000155000.00000002.00000001.01000000.00000005.sdmp |
String found in binary or memory: This is a third-party compiled AutoIt script. |
memstr_37850323-c |
Source: name.exe, 00000005.00000000.2809555856.0000000000155000.00000002.00000001.01000000.00000005.sdmp |
String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer |
memstr_26da15f7-9 |
Source: cnaniAxghZ.exe |
String found in binary or memory: This is a third-party compiled AutoIt script. |
memstr_7b96de99-6 |
Source: cnaniAxghZ.exe |
String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer |
memstr_96ed0e6b-8 |
Source: name.exe.0.dr |
String found in binary or memory: This is a third-party compiled AutoIt script. |
memstr_2c2517af-6 |
Source: name.exe.0.dr |
String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer |
memstr_03223356-2 |
Source: C:\Windows\SysWOW64\svchost.exe |
Code function: 6_2_004180EF GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,CreateProcessW,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,NtCreateSection,NtUnmapViewOfSection,NtMapViewOfSection,VirtualFree,NtClose,TerminateProcess,GetModuleHandleA,GetProcAddress,GetCurrentProcess,NtMapViewOfSection,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,VirtualFree,GetCurrentProcess,NtUnmapViewOfSection,NtClose,TerminateProcess,GetLastError, |
6_2_004180EF |
Source: C:\Windows\SysWOW64\svchost.exe |
Code function: 7_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle, |
7_2_0040DD85 |
Source: C:\Windows\SysWOW64\svchost.exe |
Code function: 7_2_00401806 NtdllDefWindowProc_W, |
7_2_00401806 |
Source: C:\Windows\SysWOW64\svchost.exe |
Code function: 7_2_004018C0 NtdllDefWindowProc_W, |
7_2_004018C0 |
Source: C:\Users\user\Desktop\cnaniAxghZ.exe |
Code function: 0_2_0001E800 |
0_2_0001E800 |
Source: C:\Users\user\Desktop\cnaniAxghZ.exe |
Code function: 0_2_0003DBB5 |
0_2_0003DBB5 |
Source: C:\Users\user\Desktop\cnaniAxghZ.exe |
Code function: 0_2_0009804A |
0_2_0009804A |
Source: C:\Users\user\Desktop\cnaniAxghZ.exe |
Code function: 0_2_0001E060 |
0_2_0001E060 |
Source: C:\Users\user\Desktop\cnaniAxghZ.exe |
Code function: 0_2_00024140 |
0_2_00024140 |
Source: C:\Users\user\Desktop\cnaniAxghZ.exe |
Code function: 0_2_00032405 |
0_2_00032405 |
Source: C:\Users\user\Desktop\cnaniAxghZ.exe |
Code function: 0_2_00046522 |
0_2_00046522 |
Source: C:\Users\user\Desktop\cnaniAxghZ.exe |
Code function: 0_2_00090665 |
0_2_00090665 |
Source: C:\Users\user\Desktop\cnaniAxghZ.exe |
Code function: 0_2_0004267E |
0_2_0004267E |
Source: C:\Users\user\Desktop\cnaniAxghZ.exe |
Code function: 0_2_0003283A |
0_2_0003283A |
Source: C:\Users\user\Desktop\cnaniAxghZ.exe |
Code function: 0_2_00026843 |
0_2_00026843 |
Source: C:\Users\user\Desktop\cnaniAxghZ.exe |
Code function: 0_2_000489DF |
0_2_000489DF |
Source: C:\Users\user\Desktop\cnaniAxghZ.exe |
Code function: 0_2_00028A0E |
0_2_00028A0E |
Source: C:\Users\user\Desktop\cnaniAxghZ.exe |
Code function: 0_2_00046A94 |
0_2_00046A94 |
Source: C:\Users\user\Desktop\cnaniAxghZ.exe |
Code function: 0_2_00090AE2 |
0_2_00090AE2 |
Source: C:\Users\user\Desktop\cnaniAxghZ.exe |
Code function: 0_2_0006EB07 |
0_2_0006EB07 |
Source: C:\Users\user\Desktop\cnaniAxghZ.exe |
Code function: 0_2_00078B13 |
0_2_00078B13 |
Source: C:\Users\user\Desktop\cnaniAxghZ.exe |
Code function: 0_2_0003CD61 |
0_2_0003CD61 |
Source: C:\Users\user\Desktop\cnaniAxghZ.exe |
Code function: 0_2_00047006 |
0_2_00047006 |
Source: C:\Users\user\Desktop\cnaniAxghZ.exe |
Code function: 0_2_0002710E |
0_2_0002710E |
Source: C:\Users\user\Desktop\cnaniAxghZ.exe |
Code function: 0_2_00023190 |
0_2_00023190 |
Source: C:\Users\user\Desktop\cnaniAxghZ.exe |
Code function: 0_2_00011287 |
0_2_00011287 |
Source: C:\Users\user\Desktop\cnaniAxghZ.exe |
Code function: 0_2_000333C7 |
0_2_000333C7 |
Source: C:\Users\user\Desktop\cnaniAxghZ.exe |
Code function: 0_2_0003F419 |
0_2_0003F419 |
Source: C:\Users\user\Desktop\cnaniAxghZ.exe |
Code function: 0_2_00025680 |
0_2_00025680 |
Source: C:\Users\user\Desktop\cnaniAxghZ.exe |
Code function: 0_2_000316C4 |
0_2_000316C4 |
Source: C:\Users\user\Desktop\cnaniAxghZ.exe |
Code function: 0_2_000258C0 |
0_2_000258C0 |
Source: C:\Users\user\Desktop\cnaniAxghZ.exe |
Code function: 0_2_000378D3 |
0_2_000378D3 |
Source: C:\Users\user\Desktop\cnaniAxghZ.exe |
Code function: 0_2_00031BB8 |
0_2_00031BB8 |
Source: C:\Users\user\Desktop\cnaniAxghZ.exe |
Code function: 0_2_00049D05 |
0_2_00049D05 |
Source: C:\Users\user\Desktop\cnaniAxghZ.exe |
Code function: 0_2_0001FE40 |
0_2_0001FE40 |
Source: C:\Users\user\Desktop\cnaniAxghZ.exe |
Code function: 0_2_00031FD0 |
0_2_00031FD0 |
Source: C:\Users\user\Desktop\cnaniAxghZ.exe |
Code function: 0_2_0003BFE6 |
0_2_0003BFE6 |
Source: C:\Users\user\Desktop\cnaniAxghZ.exe |
Code function: 0_2_01E736B0 |
0_2_01E736B0 |
Source: C:\Users\user\AppData\Local\directory\name.exe |
Code function: 5_2_000AE800 |
5_2_000AE800 |
Source: C:\Users\user\AppData\Local\directory\name.exe |
Code function: 5_2_000CDBB5 |
5_2_000CDBB5 |
Source: C:\Users\user\AppData\Local\directory\name.exe |
Code function: 5_2_000AFE40 |
5_2_000AFE40 |
Source: C:\Users\user\AppData\Local\directory\name.exe |
Code function: 5_2_0012804A |
5_2_0012804A |
Source: C:\Users\user\AppData\Local\directory\name.exe |
Code function: 5_2_000AE060 |
5_2_000AE060 |
Source: C:\Users\user\AppData\Local\directory\name.exe |
Code function: 5_2_000B4140 |
5_2_000B4140 |
Source: C:\Users\user\AppData\Local\directory\name.exe |
Code function: 5_2_000C2405 |
5_2_000C2405 |
Source: C:\Users\user\AppData\Local\directory\name.exe |
Code function: 5_2_000D6522 |
5_2_000D6522 |
Source: C:\Users\user\AppData\Local\directory\name.exe |
Code function: 5_2_000D267E |
5_2_000D267E |
Source: C:\Users\user\AppData\Local\directory\name.exe |
Code function: 5_2_00120665 |
5_2_00120665 |
Source: C:\Users\user\AppData\Local\directory\name.exe |
Code function: 5_2_000C283A |
5_2_000C283A |
Source: C:\Users\user\AppData\Local\directory\name.exe |
Code function: 5_2_000B6843 |
5_2_000B6843 |
Source: C:\Users\user\AppData\Local\directory\name.exe |
Code function: 5_2_000D89DF |
5_2_000D89DF |
Source: C:\Users\user\AppData\Local\directory\name.exe |
Code function: 5_2_000B8A0E |
5_2_000B8A0E |
Source: C:\Users\user\AppData\Local\directory\name.exe |
Code function: 5_2_000D6A94 |
5_2_000D6A94 |
Source: C:\Users\user\AppData\Local\directory\name.exe |
Code function: 5_2_00120AE2 |
5_2_00120AE2 |
Source: C:\Users\user\AppData\Local\directory\name.exe |
Code function: 5_2_00108B13 |
5_2_00108B13 |
Source: C:\Users\user\AppData\Local\directory\name.exe |
Code function: 5_2_000FEB07 |
5_2_000FEB07 |
Source: C:\Users\user\AppData\Local\directory\name.exe |
Code function: 5_2_000CCD61 |
5_2_000CCD61 |
Source: C:\Users\user\AppData\Local\directory\name.exe |
Code function: 5_2_000D7006 |
5_2_000D7006 |
Source: C:\Users\user\AppData\Local\directory\name.exe |
Code function: 5_2_000B710E |
5_2_000B710E |
Source: C:\Users\user\AppData\Local\directory\name.exe |
Code function: 5_2_000B3190 |
5_2_000B3190 |
Source: C:\Users\user\AppData\Local\directory\name.exe |
Code function: 5_2_000A1287 |
5_2_000A1287 |
Source: C:\Users\user\AppData\Local\directory\name.exe |
Code function: 5_2_000C33C7 |
5_2_000C33C7 |
Source: C:\Users\user\AppData\Local\directory\name.exe |
Code function: 5_2_000CF419 |
5_2_000CF419 |
Source: C:\Users\user\AppData\Local\directory\name.exe |
Code function: 5_2_000B5680 |
5_2_000B5680 |
Source: C:\Users\user\AppData\Local\directory\name.exe |
Code function: 5_2_000C16C4 |
5_2_000C16C4 |
Source: C:\Users\user\AppData\Local\directory\name.exe |
Code function: 5_2_000B58C0 |
5_2_000B58C0 |
Source: C:\Users\user\AppData\Local\directory\name.exe |
Code function: 5_2_000C78D3 |
5_2_000C78D3 |
Source: C:\Users\user\AppData\Local\directory\name.exe |
Code function: 5_2_000C1BB8 |
5_2_000C1BB8 |
Source: C:\Users\user\AppData\Local\directory\name.exe |
Code function: 5_2_000D9D05 |
5_2_000D9D05 |
Source: C:\Users\user\AppData\Local\directory\name.exe |
Code function: 5_2_000C1FD0 |
5_2_000C1FD0 |
Source: C:\Users\user\AppData\Local\directory\name.exe |
Code function: 5_2_000CBFE6 |
5_2_000CBFE6 |
Source: C:\Users\user\AppData\Local\directory\name.exe |
Code function: 5_2_03B936B0 |
5_2_03B936B0 |
Source: C:\Windows\SysWOW64\svchost.exe |
Code function: 6_2_0043E0CC |
6_2_0043E0CC |
Source: C:\Windows\SysWOW64\svchost.exe |
Code function: 6_2_0041F0FA |
6_2_0041F0FA |
Source: C:\Windows\SysWOW64\svchost.exe |
Code function: 6_2_00454159 |
6_2_00454159 |
Source: C:\Windows\SysWOW64\svchost.exe |
Code function: 6_2_00438168 |
6_2_00438168 |
Source: C:\Windows\SysWOW64\svchost.exe |
Code function: 6_2_004461F0 |
6_2_004461F0 |
Source: C:\Windows\SysWOW64\svchost.exe |
Code function: 6_2_0043E2FB |
6_2_0043E2FB |
Source: C:\Windows\SysWOW64\svchost.exe |
Code function: 6_2_0045332B |
6_2_0045332B |
Source: C:\Windows\SysWOW64\svchost.exe |
Code function: 6_2_0042739D |
6_2_0042739D |
Source: C:\Windows\SysWOW64\svchost.exe |
Code function: 6_2_004374E6 |
6_2_004374E6 |
Source: C:\Windows\SysWOW64\svchost.exe |
Code function: 6_2_0043E558 |
6_2_0043E558 |
Source: C:\Windows\SysWOW64\svchost.exe |
Code function: 6_2_00438770 |
6_2_00438770 |
Source: C:\Windows\SysWOW64\svchost.exe |
Code function: 6_2_004378FE |
6_2_004378FE |
Source: C:\Windows\SysWOW64\svchost.exe |
Code function: 6_2_00433946 |
6_2_00433946 |
Source: C:\Windows\SysWOW64\svchost.exe |
Code function: 6_2_0044D9C9 |
6_2_0044D9C9 |
Source: C:\Windows\SysWOW64\svchost.exe |
Code function: 6_2_00427A46 |
6_2_00427A46 |
Source: C:\Windows\SysWOW64\svchost.exe |
Code function: 6_2_0041DB62 |
6_2_0041DB62 |
Source: C:\Windows\SysWOW64\svchost.exe |
Code function: 6_2_00427BAF |
6_2_00427BAF |
Source: C:\Windows\SysWOW64\svchost.exe |
Code function: 6_2_00437D33 |
6_2_00437D33 |
Source: C:\Windows\SysWOW64\svchost.exe |
Code function: 6_2_00435E5E |
6_2_00435E5E |
Source: C:\Windows\SysWOW64\svchost.exe |
Code function: 6_2_00426E0E |
6_2_00426E0E |
Source: C:\Windows\SysWOW64\svchost.exe |
Code function: 6_2_0043DE9D |
6_2_0043DE9D |
Source: C:\Windows\SysWOW64\svchost.exe |
Code function: 6_2_00413FCA |
6_2_00413FCA |
Source: C:\Windows\SysWOW64\svchost.exe |
Code function: 6_2_00436FEA |
6_2_00436FEA |
Source: C:\Windows\SysWOW64\svchost.exe |
Code function: 7_2_0044B040 |
7_2_0044B040 |
Source: C:\Windows\SysWOW64\svchost.exe |
Code function: 7_2_0043610D |
7_2_0043610D |
Source: C:\Windows\SysWOW64\svchost.exe |
Code function: 7_2_00447310 |
7_2_00447310 |
Source: C:\Windows\SysWOW64\svchost.exe |
Code function: 7_2_0044A490 |
7_2_0044A490 |
Source: C:\Windows\SysWOW64\svchost.exe |
Code function: 7_2_0040755A |
7_2_0040755A |
Source: C:\Windows\SysWOW64\svchost.exe |
Code function: 7_2_0043C560 |
7_2_0043C560 |
Source: C:\Windows\SysWOW64\svchost.exe |
Code function: 7_2_0044B610 |
7_2_0044B610 |
Source: C:\Windows\SysWOW64\svchost.exe |
Code function: 7_2_0044D6C0 |
7_2_0044D6C0 |
Source: C:\Windows\SysWOW64\svchost.exe |
Code function: 7_2_004476F0 |
7_2_004476F0 |
Source: C:\Windows\SysWOW64\svchost.exe |
Code function: 7_2_0044B870 |
7_2_0044B870 |
Source: C:\Windows\SysWOW64\svchost.exe |
Code function: 7_2_0044081D |
7_2_0044081D |
Source: C:\Windows\SysWOW64\svchost.exe |
Code function: 7_2_00414957 |
7_2_00414957 |
Source: C:\Windows\SysWOW64\svchost.exe |
Code function: 7_2_004079EE |
7_2_004079EE |
Source: C:\Windows\SysWOW64\svchost.exe |
Code function: 7_2_00407AEB |
7_2_00407AEB |
Source: C:\Windows\SysWOW64\svchost.exe |
Code function: 7_2_0044AA80 |
7_2_0044AA80 |
Source: C:\Windows\SysWOW64\svchost.exe |
Code function: 7_2_00412AA9 |
7_2_00412AA9 |
Source: C:\Windows\SysWOW64\svchost.exe |
Code function: 7_2_00404B74 |
7_2_00404B74 |
Source: C:\Windows\SysWOW64\svchost.exe |
Code function: 7_2_00404B03 |
7_2_00404B03 |
Source: C:\Windows\SysWOW64\svchost.exe |
Code function: 7_2_0044BBD8 |
7_2_0044BBD8 |
Source: C:\Windows\SysWOW64\svchost.exe |
Code function: 7_2_00404BE5 |
7_2_00404BE5 |
Source: C:\Windows\SysWOW64\svchost.exe |
Code function: 7_2_00404C76 |
7_2_00404C76 |
Source: C:\Windows\SysWOW64\svchost.exe |
Code function: 7_2_00415CFE |
7_2_00415CFE |
Source: C:\Windows\SysWOW64\svchost.exe |
Code function: 7_2_00416D72 |
7_2_00416D72 |
Source: C:\Windows\SysWOW64\svchost.exe |
Code function: 7_2_00446D30 |
7_2_00446D30 |
Source: C:\Windows\SysWOW64\svchost.exe |
Code function: 7_2_00446D8B |
7_2_00446D8B |
Source: C:\Windows\SysWOW64\svchost.exe |
Code function: 7_2_00406E8F |
7_2_00406E8F |
Source: C:\Windows\SysWOW64\svchost.exe |
Code function: String function: 00434E10 appears 54 times |
|
Source: C:\Windows\SysWOW64\svchost.exe |
Code function: String function: 00402093 appears 50 times |
|
Source: C:\Windows\SysWOW64\svchost.exe |
Code function: String function: 00434770 appears 41 times |
|
Source: C:\Windows\SysWOW64\svchost.exe |
Code function: String function: 004169A7 appears 87 times |
|
Source: C:\Windows\SysWOW64\svchost.exe |
Code function: String function: 0044DB70 appears 41 times |
|
Source: C:\Windows\SysWOW64\svchost.exe |
Code function: String function: 004165FF appears 35 times |
|
Source: C:\Windows\SysWOW64\svchost.exe |
Code function: String function: 00401E65 appears 34 times |
|
Source: C:\Windows\SysWOW64\svchost.exe |
Code function: String function: 00416760 appears 69 times |
|
Source: C:\Users\user\Desktop\cnaniAxghZ.exe |
Code function: String function: 00017F41 appears 35 times |
|
Source: C:\Users\user\Desktop\cnaniAxghZ.exe |
Code function: String function: 00038B40 appears 42 times |
|
Source: C:\Users\user\Desktop\cnaniAxghZ.exe |
Code function: String function: 00030D27 appears 70 times |
|
Source: C:\Users\user\AppData\Local\directory\name.exe |
Code function: String function: 000C8B40 appears 42 times |
|
Source: C:\Users\user\AppData\Local\directory\name.exe |
Code function: String function: 000A7F41 appears 35 times |
|
Source: C:\Users\user\AppData\Local\directory\name.exe |
Code function: String function: 000C0D27 appears 70 times |
|
Source: 6.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23 |
Source: 6.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda |
Source: 6.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) |
Source: 6.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23 |
Source: 6.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda |
Source: 6.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) |
Source: 5.2.name.exe.3f20000.1.raw.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23 |
Source: 5.2.name.exe.3f20000.1.raw.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda |
Source: 5.2.name.exe.3f20000.1.raw.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) |
Source: 5.2.name.exe.3f20000.1.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23 |
Source: 5.2.name.exe.3f20000.1.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda |
Source: 5.2.name.exe.3f20000.1.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) |
Source: 00000006.00000002.2876639458.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23 |
Source: 00000006.00000002.2876639458.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY |
Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda |
Source: 00000006.00000002.2876639458.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY |
Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) |
Source: 00000005.00000002.2821566748.0000000003F20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23 |
Source: 00000005.00000002.2821566748.0000000003F20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda |
Source: 00000005.00000002.2821566748.0000000003F20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) |
Source: Process Memory Space: name.exe PID: 8048, type: MEMORYSTR |
Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23 |
Source: Process Memory Space: svchost.exe PID: 8084, type: MEMORYSTR |
Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23 |
Source: svchost.exe, svchost.exe, 00000007.00000002.2868513015.0000000000400000.00000040.80000000.00040000.00000000.sdmp |
Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence'; |
Source: svchost.exe, svchost.exe, 00000007.00000002.2868513015.0000000000400000.00000040.80000000.00040000.00000000.sdmp, svchost.exe, 00000008.00000002.2852218695.0000000000400000.00000040.80000000.00040000.00000000.sdmp |
Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q); |
Source: svchost.exe, 00000006.00000002.2877948678.00000000050C0000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 00000007.00000002.2868513015.0000000000400000.00000040.80000000.00040000.00000000.sdmp |
Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger'); |
Source: svchost.exe, svchost.exe, 00000007.00000002.2868513015.0000000000400000.00000040.80000000.00040000.00000000.sdmp |
Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0 |
Source: svchost.exe, svchost.exe, 00000007.00000002.2868513015.0000000000400000.00000040.80000000.00040000.00000000.sdmp |
Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s; |
Source: svchost.exe, svchost.exe, 00000007.00000002.2868513015.0000000000400000.00000040.80000000.00040000.00000000.sdmp |
Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s; |
Source: svchost.exe, 00000007.00000003.2868319315.000000000312E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2868382286.0000000003130000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key)); |
Source: svchost.exe, svchost.exe, 00000007.00000002.2868513015.0000000000400000.00000040.80000000.00040000.00000000.sdmp |
Binary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence' |
Source: C:\Users\user\Desktop\cnaniAxghZ.exe |
Section loaded: wsock32.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\cnaniAxghZ.exe |
Section loaded: version.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\cnaniAxghZ.exe |
Section loaded: winmm.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\cnaniAxghZ.exe |
Section loaded: mpr.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\cnaniAxghZ.exe |
Section loaded: wininet.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\cnaniAxghZ.exe |
Section loaded: iphlpapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\cnaniAxghZ.exe |
Section loaded: userenv.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\cnaniAxghZ.exe |
Section loaded: uxtheme.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\cnaniAxghZ.exe |
Section loaded: kernel.appcore.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\cnaniAxghZ.exe |
Section loaded: windows.storage.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\cnaniAxghZ.exe |
Section loaded: wldp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\cnaniAxghZ.exe |
Section loaded: cryptsp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\cnaniAxghZ.exe |
Section loaded: rsaenh.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\cnaniAxghZ.exe |
Section loaded: cryptbase.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\cnaniAxghZ.exe |
Section loaded: apphelp.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\directory\name.exe |
Section loaded: wsock32.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\directory\name.exe |
Section loaded: version.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\directory\name.exe |
Section loaded: winmm.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\directory\name.exe |
Section loaded: mpr.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\directory\name.exe |
Section loaded: wininet.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\directory\name.exe |
Section loaded: iphlpapi.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\directory\name.exe |
Section loaded: userenv.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\directory\name.exe |
Section loaded: uxtheme.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\directory\name.exe |
Section loaded: kernel.appcore.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\directory\name.exe |
Section loaded: windows.storage.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\directory\name.exe |
Section loaded: wldp.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\svchost.exe |
Section loaded: winmm.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\svchost.exe |
Section loaded: urlmon.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\svchost.exe |
Section loaded: wininet.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\svchost.exe |
Section loaded: iertutil.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\svchost.exe |
Section loaded: srvcli.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\svchost.exe |
Section loaded: netutils.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\svchost.exe |
Section loaded: iphlpapi.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\svchost.exe |
Section loaded: rstrtmgr.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\svchost.exe |
Section loaded: ncrypt.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\svchost.exe |
Section loaded: ntasn1.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\svchost.exe |
Section loaded: sspicli.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\svchost.exe |
Section loaded: mswsock.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\svchost.exe |
Section loaded: windows.storage.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\svchost.exe |
Section loaded: wldp.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\svchost.exe |
Section loaded: profapi.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\svchost.exe |
Section loaded: kernel.appcore.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\svchost.exe |
Section loaded: ondemandconnroutehelper.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\svchost.exe |
Section loaded: winhttp.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\svchost.exe |
Section loaded: winnsi.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\svchost.exe |
Section loaded: dnsapi.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\svchost.exe |
Section loaded: rasadhlp.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\svchost.exe |
Section loaded: fwpuclnt.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\svchost.exe |
Section loaded: version.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\svchost.exe |
Section loaded: wininet.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\svchost.exe |
Section loaded: windows.storage.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\svchost.exe |
Section loaded: wldp.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\svchost.exe |
Section loaded: cryptsp.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\svchost.exe |
Section loaded: rsaenh.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\svchost.exe |
Section loaded: cryptbase.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\svchost.exe |
Section loaded: pstorec.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\svchost.exe |
Section loaded: vaultcli.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\svchost.exe |
Section loaded: wintypes.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\svchost.exe |
Section loaded: dpapi.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\svchost.exe |
Section loaded: msasn1.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\svchost.exe |
Section loaded: windows.storage.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\svchost.exe |
Section loaded: wldp.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\svchost.exe |
Section loaded: pstorec.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\svchost.exe |
Section loaded: sspicli.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\svchost.exe |
Section loaded: msasn1.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\svchost.exe |
Section loaded: msasn1.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\svchost.exe |
Section loaded: windows.storage.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\svchost.exe |
Section loaded: wldp.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\svchost.exe |
Section loaded: msasn1.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\svchost.exe |
Section loaded: sspicli.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\svchost.exe |
Section loaded: cryptsp.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\svchost.exe |
Section loaded: rsaenh.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\svchost.exe |
Section loaded: cryptbase.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\cnaniAxghZ.exe |
Code function: 0_2_0001C590 push eax; retn 0001h |
0_2_0001C599 |
Source: C:\Users\user\Desktop\cnaniAxghZ.exe |
Code function: 0_2_00078719 push FFFFFF8Bh; iretd |
0_2_0007871B |
Source: C:\Users\user\Desktop\cnaniAxghZ.exe |
Code function: 0_2_0003E94F push edi; ret |
0_2_0003E951 |
Source: C:\Users\user\Desktop\cnaniAxghZ.exe |
Code function: 0_2_0003EA68 push esi; ret |
0_2_0003EA6A |
Source: C:\Users\user\Desktop\cnaniAxghZ.exe |
Code function: 0_2_00038B85 push ecx; ret |
0_2_00038B98 |
Source: C:\Users\user\Desktop\cnaniAxghZ.exe |
Code function: 0_2_0003EC43 push esi; ret |
0_2_0003EC45 |
Source: C:\Users\user\Desktop\cnaniAxghZ.exe |
Code function: 0_2_0003ED2C push edi; ret |
0_2_0003ED2E |
Source: C:\Users\user\AppData\Local\directory\name.exe |
Code function: 5_2_000AC590 push eax; retn 000Ah |
5_2_000AC599 |
Source: C:\Users\user\AppData\Local\directory\name.exe |
Code function: 5_2_00108719 push FFFFFF8Bh; iretd |
5_2_0010871B |
Source: C:\Users\user\AppData\Local\directory\name.exe |
Code function: 5_2_000CE94F push edi; ret |
5_2_000CE951 |
Source: C:\Users\user\AppData\Local\directory\name.exe |
Code function: 5_2_000CEA68 push esi; ret |
5_2_000CEA6A |
Source: C:\Users\user\AppData\Local\directory\name.exe |
Code function: 5_2_000C8B85 push ecx; ret |
5_2_000C8B98 |
Source: C:\Users\user\AppData\Local\directory\name.exe |
Code function: 5_2_000CEC43 push esi; ret |
5_2_000CEC45 |
Source: C:\Users\user\AppData\Local\directory\name.exe |
Code function: 5_2_000CED2C push edi; ret |
5_2_000CED2E |
Source: C:\Windows\SysWOW64\svchost.exe |
Code function: 6_2_00457106 push ecx; ret |
6_2_00457119 |
Source: C:\Windows\SysWOW64\svchost.exe |
Code function: 6_2_0045B11A push esp; ret |
6_2_0045B141 |
Source: C:\Windows\SysWOW64\svchost.exe |
Code function: 6_2_00457A28 push eax; ret |
6_2_00457A46 |
Source: C:\Windows\SysWOW64\svchost.exe |
Code function: 6_2_00434E56 push ecx; ret |
6_2_00434E69 |
Source: C:\Windows\SysWOW64\svchost.exe |
Code function: 7_2_0044693D push ecx; ret |
7_2_0044694D |
Source: C:\Windows\SysWOW64\svchost.exe |
Code function: 7_2_0044DB70 push eax; ret |
7_2_0044DB84 |
Source: C:\Windows\SysWOW64\svchost.exe |
Code function: 7_2_0044DB70 push eax; ret |
7_2_0044DBAC |
Source: C:\Windows\SysWOW64\svchost.exe |
Code function: 7_2_00451D54 push eax; ret |
7_2_00451D61 |
Source: C:\Users\user\Desktop\cnaniAxghZ.exe |
Code function: 0_2_00014A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput, |
0_2_00014A35 |
Source: C:\Users\user\Desktop\cnaniAxghZ.exe |
Code function: 0_2_000955FD IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed, |
0_2_000955FD |
Source: C:\Users\user\AppData\Local\directory\name.exe |
Code function: 5_2_000A4A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput, |
5_2_000A4A35 |
Source: C:\Users\user\AppData\Local\directory\name.exe |
Code function: 5_2_001255FD IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed, |
5_2_001255FD |
Source: C:\Users\user\Desktop\cnaniAxghZ.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\cnaniAxghZ.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\directory\name.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\directory\name.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\svchost.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\svchost.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\svchost.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\svchost.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\svchost.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\cnaniAxghZ.exe |
Code function: 0_2_00074696 GetFileAttributesW,FindFirstFileW,FindClose, |
0_2_00074696 |
Source: C:\Users\user\Desktop\cnaniAxghZ.exe |
Code function: 0_2_0007C93C FindFirstFileW,FindClose, |
0_2_0007C93C |
Source: C:\Users\user\Desktop\cnaniAxghZ.exe |
Code function: 0_2_0007C9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf, |
0_2_0007C9C7 |
Source: C:\Users\user\Desktop\cnaniAxghZ.exe |
Code function: 0_2_0007F200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, |
0_2_0007F200 |
Source: C:\Users\user\Desktop\cnaniAxghZ.exe |
Code function: 0_2_0007F35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, |
0_2_0007F35D |
Source: C:\Users\user\Desktop\cnaniAxghZ.exe |
Code function: 0_2_0007F65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose, |
0_2_0007F65E |
Source: C:\Users\user\Desktop\cnaniAxghZ.exe |
Code function: 0_2_00073A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, |
0_2_00073A2B |
Source: C:\Users\user\Desktop\cnaniAxghZ.exe |
Code function: 0_2_00073D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, |
0_2_00073D4E |
Source: C:\Users\user\Desktop\cnaniAxghZ.exe |
Code function: 0_2_0007BF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose, |
0_2_0007BF27 |
Source: C:\Users\user\AppData\Local\directory\name.exe |
Code function: 5_2_00104696 GetFileAttributesW,FindFirstFileW,FindClose, |
5_2_00104696 |
Source: C:\Users\user\AppData\Local\directory\name.exe |
Code function: 5_2_0010C93C FindFirstFileW,FindClose, |
5_2_0010C93C |
Source: C:\Users\user\AppData\Local\directory\name.exe |
Code function: 5_2_0010C9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf, |
5_2_0010C9C7 |
Source: C:\Users\user\AppData\Local\directory\name.exe |
Code function: 5_2_0010F200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, |
5_2_0010F200 |
Source: C:\Users\user\AppData\Local\directory\name.exe |
Code function: 5_2_0010F35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, |
5_2_0010F35D |
Source: C:\Users\user\AppData\Local\directory\name.exe |
Code function: 5_2_0010F65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose, |
5_2_0010F65E |
Source: C:\Users\user\AppData\Local\directory\name.exe |
Code function: 5_2_00103A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, |
5_2_00103A2B |
Source: C:\Users\user\AppData\Local\directory\name.exe |
Code function: 5_2_00103D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, |
5_2_00103D4E |
Source: C:\Users\user\AppData\Local\directory\name.exe |
Code function: 5_2_0010BF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose, |
5_2_0010BF27 |
Source: C:\Windows\SysWOW64\svchost.exe |
Code function: 6_2_00409253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose, |
6_2_00409253 |
Source: C:\Windows\SysWOW64\svchost.exe |
Code function: 6_2_0041C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose, |
6_2_0041C291 |
Source: C:\Windows\SysWOW64\svchost.exe |
Code function: 6_2_0040C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose, |
6_2_0040C34D |
Source: C:\Windows\SysWOW64\svchost.exe |
Code function: 6_2_00409665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose, |
6_2_00409665 |
Source: C:\Windows\SysWOW64\svchost.exe |
Code function: 6_2_0040880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose, |
6_2_0040880C |
Source: C:\Windows\SysWOW64\svchost.exe |
Code function: 6_2_0040783C FindFirstFileW,FindNextFileW, |
6_2_0040783C |
Source: C:\Windows\SysWOW64\svchost.exe |
Code function: 6_2_00419AF5 FindFirstFileW,FindNextFileW,FindNextFileW, |
6_2_00419AF5 |
Source: C:\Windows\SysWOW64\svchost.exe |
Code function: 6_2_0040BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose, |
6_2_0040BB30 |
Source: C:\Windows\SysWOW64\svchost.exe |
Code function: 6_2_0040BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose, |
6_2_0040BD37 |
Source: C:\Windows\SysWOW64\svchost.exe |
Code function: 7_2_0040AE51 FindFirstFileW,FindNextFileW, |
7_2_0040AE51 |