Source: 0000000C.00000003.2421668978.0000000004EE7000.00000004.00000800.00020000.00000000.sdmp | String decryptor: associationokeo.shop |
Source: 0000000C.00000003.2421668978.0000000004EE7000.00000004.00000800.00020000.00000000.sdmp | String decryptor: turkeyunlikelyofw.shop |
Source: 0000000C.00000003.2421668978.0000000004EE7000.00000004.00000800.00020000.00000000.sdmp | String decryptor: pooreveningfuseor.pw |
Source: 0000000C.00000003.2421668978.0000000004EE7000.00000004.00000800.00020000.00000000.sdmp | String decryptor: edurestunningcrackyow.fun |
Source: 0000000C.00000003.2421668978.0000000004EE7000.00000004.00000800.00020000.00000000.sdmp | String decryptor: detectordiscusser.shop |
Source: 0000000C.00000003.2421668978.0000000004EE7000.00000004.00000800.00020000.00000000.sdmp | String decryptor: problemregardybuiwo.fun |
Source: 0000000C.00000003.2421668978.0000000004EE7000.00000004.00000800.00020000.00000000.sdmp | String decryptor: lighterepisodeheighte.fun |
Source: 0000000C.00000003.2421668978.0000000004EE7000.00000004.00000800.00020000.00000000.sdmp | String decryptor: technologyenterdo.shop |
Source: 0000000C.00000003.2421668978.0000000004EE7000.00000004.00000800.00020000.00000000.sdmp | String decryptor: assumptionflattyou.shop |
Source: 0000000C.00000003.2421668978.0000000004EE7000.00000004.00000800.00020000.00000000.sdmp | String decryptor: lid=%s&j=%s&ver=4.0 |
Source: 0000000C.00000003.2421668978.0000000004EE7000.00000004.00000800.00020000.00000000.sdmp | String decryptor: TeslaBrowser/5.5 |
Source: 0000000C.00000003.2421668978.0000000004EE7000.00000004.00000800.00020000.00000000.sdmp | String decryptor: - Screen Resoluton: |
Source: 0000000C.00000003.2421668978.0000000004EE7000.00000004.00000800.00020000.00000000.sdmp | String decryptor: - Physical Installed Memory: |
Source: 0000000C.00000003.2421668978.0000000004EE7000.00000004.00000800.00020000.00000000.sdmp | String decryptor: Workgroup: - |
Source: 0000000C.00000003.2421668978.0000000004EE7000.00000004.00000800.00020000.00000000.sdmp | String decryptor: HpOoIh--@Zakielk |
Source: C:\Users\user\Desktop\80441fcf.exe | Code function: 0_2_0040325A FindFirstFileW,FindClose,SetLastError,CompareFileTime, | 0_2_0040325A |
Source: C:\Users\user\Desktop\80441fcf.exe | Code function: 0_2_00402B9F FindFirstFileW,lstrcmpW,lstrcmpW,SetFileAttributesW,DeleteFileW,FindNextFileW,FindClose,SetCurrentDirectoryW,SetFileAttributesW,RemoveDirectoryW, | 0_2_00402B9F |
Source: C:\Users\user\Desktop\80441fcf.exe | Code function: 0_2_00402CB4 FindFirstFileW,FindClose,SetFileAttributesW,DeleteFileW, | 0_2_00402CB4 |
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif | Code function: 12_2_008BE1AC GetFileAttributesW,FindFirstFileW,FindClose, | 12_2_008BE1AC |
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif | Code function: 12_2_008BD98E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, | 12_2_008BD98E |
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif | Code function: 12_2_008CA29A FindFirstFileW,Sleep,FindNextFileW,FindClose, | 12_2_008CA29A |
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif | Code function: 12_2_008C6406 FindFirstFileW,FindNextFileW,FindClose, | 12_2_008C6406 |
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif | Code function: 12_2_0088C5F3 FindFirstFileExW, | 12_2_0088C5F3 |
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif | Code function: 12_2_008C70FE FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime, | 12_2_008C70FE |
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif | Code function: 12_2_008C705D FindFirstFileW,FindClose, | 12_2_008C705D |
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif | Code function: 12_2_008BD65B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, | 12_2_008BD65B |
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif | Code function: 12_2_008C9DB1 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, | 12_2_008C9DB1 |
Source: Malware configuration extractor | URLs: associationokeo.shop |
Source: Malware configuration extractor | URLs: turkeyunlikelyofw.shop |
Source: Malware configuration extractor | URLs: pooreveningfuseor.pw |
Source: Malware configuration extractor | URLs: edurestunningcrackyow.fun |
Source: Malware configuration extractor | URLs: detectordiscusser.shop |
Source: Malware configuration extractor | URLs: problemregardybuiwo.fun |
Source: Malware configuration extractor | URLs: lighterepisodeheighte.fun |
Source: Malware configuration extractor | URLs: technologyenterdo.shop |
Source: Malware configuration extractor | URLs: assumptionflattyou.shop |
Source: global traffic | HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: assumptionflattyou.shop |
Source: global traffic | HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 57Host: assumptionflattyou.shop |
Source: global traffic | HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 13683Host: assumptionflattyou.shop |
Source: global traffic | HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 16226Host: assumptionflattyou.shop |
Source: global traffic | HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20570Host: assumptionflattyou.shop |
Source: global traffic | HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1270Host: assumptionflattyou.shop |
Source: global traffic | HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 555626Host: assumptionflattyou.shop |
Source: 80441fcf.exe | String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E |
Source: Apply.pif, 0000000C.00000003.2483350363.0000000004B00000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0 |
Source: Apply.pif, 0000000C.00000003.2483350363.0000000004B00000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B |
Source: 80441fcf.exe | String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0 |
Source: 80441fcf.exe | String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0 |
Source: 80441fcf.exe | String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C |
Source: Apply.pif, 0000000C.00000003.2426382536.0000000004542000.00000004.00000800.00020000.00000000.sdmp, Affordable.0.dr, Apply.pif.10.dr | String found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0 |
Source: Apply.pif, 0000000C.00000003.2426382536.0000000004542000.00000004.00000800.00020000.00000000.sdmp, Affordable.0.dr, Apply.pif.10.dr | String found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0 |
Source: Apply.pif, 0000000C.00000003.2426382536.0000000004542000.00000004.00000800.00020000.00000000.sdmp, Affordable.0.dr, Apply.pif.10.dr | String found in binary or memory: http://crl.globalsign.com/root-r3.crl0G |
Source: Apply.pif, 0000000C.00000003.2426382536.0000000004542000.00000004.00000800.00020000.00000000.sdmp, Affordable.0.dr, Apply.pif.10.dr | String found in binary or memory: http://crl.globalsign.com/root-r3.crl0c |
Source: Apply.pif, 0000000C.00000003.2426382536.0000000004542000.00000004.00000800.00020000.00000000.sdmp, Affordable.0.dr, Apply.pif.10.dr | String found in binary or memory: http://crl.globalsign.com/root-r6.crl0G |
Source: Apply.pif, 0000000C.00000003.2483350363.0000000004B00000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0 |
Source: 80441fcf.exe | String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0 |
Source: Apply.pif, 0000000C.00000003.2483350363.0000000004B00000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07 |
Source: Apply.pif, 0000000C.00000003.2483350363.0000000004B00000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0= |
Source: 80441fcf.exe | String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S |
Source: 80441fcf.exe | String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0 |
Source: 80441fcf.exe | String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0 |
Source: Apply.pif, 0000000C.00000003.2483350363.0000000004B00000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00 |
Source: 80441fcf.exe | String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0 |
Source: Apply.pif, 0000000C.00000003.2483350363.0000000004B00000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0? |
Source: Apply.pif, 0000000C.00000003.2483350363.0000000004B00000.00000004.00000800.00020000.00000000.sdmp, 80441fcf.exe | String found in binary or memory: http://ocsp.digicert.com0 |
Source: 80441fcf.exe | String found in binary or memory: http://ocsp.digicert.com0A |
Source: 80441fcf.exe | String found in binary or memory: http://ocsp.digicert.com0C |
Source: 80441fcf.exe | String found in binary or memory: http://ocsp.digicert.com0X |
Source: Apply.pif, 0000000C.00000003.2426382536.0000000004542000.00000004.00000800.00020000.00000000.sdmp, Affordable.0.dr, Apply.pif.10.dr | String found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C |
Source: Apply.pif, 0000000C.00000003.2483350363.0000000004B00000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://ocsp.rootca1.amazontrust.com0: |
Source: Apply.pif, 0000000C.00000003.2426382536.0000000004542000.00000004.00000800.00020000.00000000.sdmp, Affordable.0.dr, Apply.pif.10.dr | String found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V |
Source: Apply.pif, 0000000C.00000003.2426382536.0000000004542000.00000004.00000800.00020000.00000000.sdmp, Affordable.0.dr, Apply.pif.10.dr | String found in binary or memory: http://ocsp2.globalsign.com/rootr306 |
Source: Apply.pif, 0000000C.00000003.2426382536.0000000004542000.00000004.00000800.00020000.00000000.sdmp, Affordable.0.dr, Apply.pif.10.dr | String found in binary or memory: http://ocsp2.globalsign.com/rootr606 |
Source: Apply.pif, 0000000C.00000003.2426382536.0000000004542000.00000004.00000800.00020000.00000000.sdmp, Affordable.0.dr, Apply.pif.10.dr | String found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08 |
Source: Apply.pif, 0000000C.00000003.2426382536.0000000004542000.00000004.00000800.00020000.00000000.sdmp, Affordable.0.dr, Apply.pif.10.dr | String found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0 |
Source: Apply.pif, 0000000C.00000002.2540300612.0000000000925000.00000002.00000001.01000000.00000005.sdmp, Apply.pif, 0000000C.00000003.2426382536.0000000004542000.00000004.00000800.00020000.00000000.sdmp, Affordable.0.dr, Apply.pif.10.dr | String found in binary or memory: http://www.autoitscript.com/autoit3/X |
Source: 80441fcf.exe | String found in binary or memory: http://www.digicert.com/CPS0 |
Source: Apply.pif, 0000000C.00000003.2483350363.0000000004B00000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://x1.c.lencr.org/0 |
Source: Apply.pif, 0000000C.00000003.2483350363.0000000004B00000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://x1.i.lencr.org/0 |
Source: Apply.pif, 0000000C.00000002.2541881503.0000000004A74000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: https://assumptionflattyou.shop/ |
Source: Apply.pif, 0000000C.00000002.2540514677.0000000001620000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://assumptionflattyou.shop/4 |
Source: Apply.pif, 0000000C.00000002.2541881503.0000000004A74000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: https://assumptionflattyou.shop/Pa |
Source: Apply.pif, 0000000C.00000002.2541881503.0000000004A8D000.00000004.00000800.00020000.00000000.sdmp, Apply.pif, 0000000C.00000002.2541881503.0000000004A74000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: https://assumptionflattyou.shop/api |
Source: Apply.pif, 0000000C.00000002.2541881503.0000000004A8D000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: https://assumptionflattyou.shop/apir |
Source: Apply.pif, 0000000C.00000002.2541881503.0000000004A8D000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: https://assumptionflattyou.shop/apis |
Source: Apply.pif, 0000000C.00000002.2540514677.0000000001620000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://assumptionflattyou.shop/apiy |
Source: Apply.pif, 0000000C.00000002.2541881503.0000000004A74000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: https://assumptionflattyou.shop/os |
Source: Apply.pif, 0000000C.00000002.2540514677.0000000001620000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://assumptionflattyou.shop:443/api |
Source: Apply.pif, 0000000C.00000003.2484956968.0000000005B0A000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br |
Source: Apply.pif, 0000000C.00000003.2484956968.0000000005B0A000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all |
Source: Apply.pif, 0000000C.00000003.2426382536.0000000004542000.00000004.00000800.00020000.00000000.sdmp, Affordable.0.dr, Apply.pif.10.dr | String found in binary or memory: https://www.autoitscript.com/autoit3/ |
Source: Apply.pif.10.dr | String found in binary or memory: https://www.globalsign.com/repository/0 |
Source: Apply.pif, 0000000C.00000003.2484956968.0000000005B0A000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.CDjelnmQJyZc |
Source: Apply.pif, 0000000C.00000003.2484956968.0000000005B0A000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.b3lOZaxJcpF6 |
Source: Apply.pif, 0000000C.00000003.2484956968.0000000005B0A000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox |
Source: Apply.pif, 0000000C.00000003.2484956968.0000000005B0A000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig |
Source: Apply.pif, 0000000C.00000003.2484956968.0000000005B0A000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg |
Source: Apply.pif, 0000000C.00000003.2484956968.0000000005B0A000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www. |
Source: unknown | Network traffic detected: HTTP traffic on port 49733 -> 443 |
Source: unknown | Network traffic detected: HTTP traffic on port 443 -> 49733 |
Source: unknown | Network traffic detected: HTTP traffic on port 443 -> 49731 |
Source: unknown | Network traffic detected: HTTP traffic on port 49731 -> 443 |
Source: unknown | Network traffic detected: HTTP traffic on port 64747 -> 443 |
Source: unknown | Network traffic detected: HTTP traffic on port 64748 -> 443 |
Source: unknown | Network traffic detected: HTTP traffic on port 64745 -> 443 |
Source: unknown | Network traffic detected: HTTP traffic on port 443 -> 64747 |
Source: unknown | Network traffic detected: HTTP traffic on port 443 -> 64748 |
Source: unknown | Network traffic detected: HTTP traffic on port 49736 -> 443 |
Source: unknown | Network traffic detected: HTTP traffic on port 49735 -> 443 |
Source: unknown | Network traffic detected: HTTP traffic on port 443 -> 49736 |
Source: unknown | Network traffic detected: HTTP traffic on port 443 -> 49735 |
Source: unknown | Network traffic detected: HTTP traffic on port 443 -> 64745 |
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif | Code function: 12_2_008E9C62 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW, | 12_2_008E9C62 |
Source: C:\Users\user\Desktop\80441fcf.exe | Code function: 0_2_00404E5F | 0_2_00404E5F |
Source: C:\Users\user\Desktop\80441fcf.exe | Code function: 0_2_0041B853 | 0_2_0041B853 |
Source: C:\Users\user\Desktop\80441fcf.exe | Code function: 0_2_004150AE | 0_2_004150AE |
Source: C:\Users\user\Desktop\80441fcf.exe | Code function: 0_2_004161F1 | 0_2_004161F1 |
Source: C:\Users\user\Desktop\80441fcf.exe | Code function: 0_2_00416A1D | 0_2_00416A1D |
Source: C:\Users\user\Desktop\80441fcf.exe | Code function: 0_2_004183B0 | 0_2_004183B0 |
Source: C:\Users\user\Desktop\80441fcf.exe | Code function: 0_2_0041B4E1 | 0_2_0041B4E1 |
Source: C:\Users\user\Desktop\80441fcf.exe | Code function: 0_2_0041649B | 0_2_0041649B |
Source: C:\Users\user\Desktop\80441fcf.exe | Code function: 0_2_0040AD0B | 0_2_0040AD0B |
Source: C:\Users\user\Desktop\80441fcf.exe | Code function: 0_2_0040F5E4 | 0_2_0040F5E4 |
Source: C:\Users\user\Desktop\80441fcf.exe | Code function: 0_2_00411D80 | 0_2_00411D80 |
Source: C:\Users\user\Desktop\80441fcf.exe | Code function: 0_2_0041B5BB | 0_2_0041B5BB |
Source: C:\Users\user\Desktop\80441fcf.exe | Code function: 0_2_00415E7F | 0_2_00415E7F |
Source: C:\Users\user\Desktop\80441fcf.exe | Code function: 0_2_00416762 | 0_2_00416762 |
Source: C:\Users\user\Desktop\80441fcf.exe | Code function: 0_2_0041379E | 0_2_0041379E |
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif | Code function: 12_2_008581B0 | 12_2_008581B0 |
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif | Code function: 12_2_00872282 | 12_2_00872282 |
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif | Code function: 12_2_0088A23E | 12_2_0088A23E |
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif | Code function: 12_2_0085E4CB | 12_2_0085E4CB |
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif | Code function: 12_2_0086C4DD | 12_2_0086C4DD |
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif | Code function: 12_2_008DC5CB | 12_2_008DC5CB |
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif | Code function: 12_2_00858690 | 12_2_00858690 |
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif | Code function: 12_2_008C272F | 12_2_008C272F |
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif | Code function: 12_2_0088E852 | 12_2_0088E852 |
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif | Code function: 12_2_008B8991 | 12_2_008B8991 |
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif | Code function: 12_2_00886ABB | 12_2_00886ABB |
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif | Code function: 12_2_00858AF0 | 12_2_00858AF0 |
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif | Code function: 12_2_0086CC3E | 12_2_0086CC3E |
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif | Code function: 12_2_0087CDF0 | 12_2_0087CDF0 |
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif | Code function: 12_2_0085D080 | 12_2_0085D080 |
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif | Code function: 12_2_008E5033 | 12_2_008E5033 |
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif | Code function: 12_2_00887129 | 12_2_00887129 |
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif | Code function: 12_2_008716E4 | 12_2_008716E4 |
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif | Code function: 12_2_00871A56 | 12_2_00871A56 |
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif | Code function: 12_2_00869BAD | 12_2_00869BAD |
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif | Code function: 12_2_00877B6B | 12_2_00877B6B |
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif | Code function: 12_2_00877D9A | 12_2_00877D9A |
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif | Code function: 12_2_00871D00 | 12_2_00871D00 |
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif | Code function: 12_2_00871FC7 | 12_2_00871FC7 |
Source: unknown | Process created: C:\Users\user\Desktop\80441fcf.exe "C:\Users\user\Desktop\80441fcf.exe" | |
Source: C:\Users\user\Desktop\80441fcf.exe | Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 | |
Source: C:\Users\user\Desktop\80441fcf.exe | Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k move Inventory Inventory.bat & Inventory.bat & exit | |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 | |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\SysWOW64\tasklist.exe tasklist | |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe" | |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\SysWOW64\tasklist.exe tasklist | |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa.exe opssvc.exe" | |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 5758 | |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b Cookbook + Increasingly + Rounds + Affordable 5758\Apply.pif | |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b Ink 5758\o | |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif 5758\Apply.pif 5758\o | |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\SysWOW64\PING.EXE ping -n 5 127.0.0.1 | |
Source: C:\Users\user\Desktop\80441fcf.exe | Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k move Inventory Inventory.bat & Inventory.bat & exit | Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\SysWOW64\tasklist.exe tasklist | Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe" | Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\SysWOW64\tasklist.exe tasklist | Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa.exe opssvc.exe" | Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 5758 | Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b Cookbook + Increasingly + Rounds + Affordable 5758\Apply.pif | Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b Ink 5758\o | Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif 5758\Apply.pif 5758\o | Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\SysWOW64\PING.EXE ping -n 5 127.0.0.1 | Jump to behavior |
Source: C:\Users\user\Desktop\80441fcf.exe | Section loaded: apphelp.dll | Jump to behavior |
Source: C:\Users\user\Desktop\80441fcf.exe | Section loaded: windows.storage.dll | Jump to behavior |
Source: C:\Users\user\Desktop\80441fcf.exe | Section loaded: wldp.dll | Jump to behavior |
Source: C:\Users\user\Desktop\80441fcf.exe | Section loaded: profapi.dll | Jump to behavior |
Source: C:\Users\user\Desktop\80441fcf.exe | Section loaded: kernel.appcore.dll | Jump to behavior |
Source: C:\Users\user\Desktop\80441fcf.exe | Section loaded: uxtheme.dll | Jump to behavior |
Source: C:\Users\user\Desktop\80441fcf.exe | Section loaded: propsys.dll | Jump to behavior |
Source: C:\Users\user\Desktop\80441fcf.exe | Section loaded: edputil.dll | Jump to behavior |
Source: C:\Users\user\Desktop\80441fcf.exe | Section loaded: urlmon.dll | Jump to behavior |
Source: C:\Users\user\Desktop\80441fcf.exe | Section loaded: iertutil.dll | Jump to behavior |
Source: C:\Users\user\Desktop\80441fcf.exe | Section loaded: srvcli.dll | Jump to behavior |
Source: C:\Users\user\Desktop\80441fcf.exe | Section loaded: netutils.dll | Jump to behavior |
Source: C:\Users\user\Desktop\80441fcf.exe | Section loaded: windows.staterepositoryps.dll | Jump to behavior |
Source: C:\Users\user\Desktop\80441fcf.exe | Section loaded: sspicli.dll | Jump to behavior |
Source: C:\Users\user\Desktop\80441fcf.exe | Section loaded: wintypes.dll | Jump to behavior |
Source: C:\Users\user\Desktop\80441fcf.exe | Section loaded: appresolver.dll | Jump to behavior |
Source: C:\Users\user\Desktop\80441fcf.exe | Section loaded: bcp47langs.dll | Jump to behavior |
Source: C:\Users\user\Desktop\80441fcf.exe | Section loaded: slc.dll | Jump to behavior |
Source: C:\Users\user\Desktop\80441fcf.exe | Section loaded: userenv.dll | Jump to behavior |
Source: C:\Users\user\Desktop\80441fcf.exe | Section loaded: sppc.dll | Jump to behavior |
Source: C:\Users\user\Desktop\80441fcf.exe | Section loaded: onecorecommonproxystub.dll | Jump to behavior |
Source: C:\Users\user\Desktop\80441fcf.exe | Section loaded: onecoreuapcommonproxystub.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe | Section loaded: cmdext.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe | Section loaded: apphelp.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\tasklist.exe | Section loaded: version.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\tasklist.exe | Section loaded: mpr.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\tasklist.exe | Section loaded: framedynos.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\tasklist.exe | Section loaded: dbghelp.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\tasklist.exe | Section loaded: sspicli.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\tasklist.exe | Section loaded: srvcli.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\tasklist.exe | Section loaded: netutils.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\tasklist.exe | Section loaded: sspicli.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\tasklist.exe | Section loaded: kernel.appcore.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\tasklist.exe | Section loaded: wbemcomn.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\tasklist.exe | Section loaded: winsta.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\tasklist.exe | Section loaded: amsi.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\tasklist.exe | Section loaded: userenv.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\tasklist.exe | Section loaded: profapi.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\tasklist.exe | Section loaded: version.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\tasklist.exe | Section loaded: mpr.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\tasklist.exe | Section loaded: framedynos.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\tasklist.exe | Section loaded: dbghelp.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\tasklist.exe | Section loaded: sspicli.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\tasklist.exe | Section loaded: srvcli.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\tasklist.exe | Section loaded: netutils.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\tasklist.exe | Section loaded: sspicli.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\tasklist.exe | Section loaded: kernel.appcore.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\tasklist.exe | Section loaded: wbemcomn.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\tasklist.exe | Section loaded: winsta.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\tasklist.exe | Section loaded: amsi.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\tasklist.exe | Section loaded: userenv.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\tasklist.exe | Section loaded: profapi.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe | Section loaded: ntmarta.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif | Section loaded: wsock32.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif | Section loaded: version.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif | Section loaded: winmm.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif | Section loaded: mpr.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif | Section loaded: wininet.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif | Section loaded: iphlpapi.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif | Section loaded: userenv.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif | Section loaded: uxtheme.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif | Section loaded: kernel.appcore.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif | Section loaded: windows.storage.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif | Section loaded: wldp.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif | Section loaded: napinsp.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif | Section loaded: pnrpnsp.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif | Section loaded: wshbth.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif | Section loaded: nlaapi.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif | Section loaded: mswsock.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif | Section loaded: dnsapi.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif | Section loaded: winrnr.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif | Section loaded: rasadhlp.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif | Section loaded: winhttp.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif | Section loaded: ondemandconnroutehelper.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif | Section loaded: webio.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif | Section loaded: winnsi.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif | Section loaded: sspicli.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif | Section loaded: fwpuclnt.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif | Section loaded: schannel.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif | Section loaded: mskeyprotect.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif | Section loaded: ntasn1.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif | Section loaded: ncrypt.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif | Section loaded: ncryptsslp.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif | Section loaded: msasn1.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif | Section loaded: cryptsp.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif | Section loaded: rsaenh.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif | Section loaded: cryptbase.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif | Section loaded: gpapi.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif | Section loaded: dpapi.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif | Section loaded: ondemandconnroutehelper.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif | Section loaded: ondemandconnroutehelper.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif | Section loaded: ondemandconnroutehelper.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif | Section loaded: ondemandconnroutehelper.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif | Section loaded: ondemandconnroutehelper.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\PING.EXE | Section loaded: iphlpapi.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\PING.EXE | Section loaded: winnsi.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\PING.EXE | Section loaded: mswsock.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif | Code function: 12_2_008E23FC IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed, | 12_2_008E23FC |
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif | Code function: 12_2_0086F64C GetForegroundWindow,FindWindowW,IsIconic,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,ShowWindow, | 12_2_0086F64C |
Source: C:\Users\user\Desktop\80441fcf.exe | Code function: 0_2_0040325A FindFirstFileW,FindClose,SetLastError,CompareFileTime, | 0_2_0040325A |
Source: C:\Users\user\Desktop\80441fcf.exe | Code function: 0_2_00402B9F FindFirstFileW,lstrcmpW,lstrcmpW,SetFileAttributesW,DeleteFileW,FindNextFileW,FindClose,SetCurrentDirectoryW,SetFileAttributesW,RemoveDirectoryW, | 0_2_00402B9F |
Source: C:\Users\user\Desktop\80441fcf.exe | Code function: 0_2_00402CB4 FindFirstFileW,FindClose,SetFileAttributesW,DeleteFileW, | 0_2_00402CB4 |
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif | Code function: 12_2_008BE1AC GetFileAttributesW,FindFirstFileW,FindClose, | 12_2_008BE1AC |
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif | Code function: 12_2_008BD98E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, | 12_2_008BD98E |
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif | Code function: 12_2_008CA29A FindFirstFileW,Sleep,FindNextFileW,FindClose, | 12_2_008CA29A |
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif | Code function: 12_2_008C6406 FindFirstFileW,FindNextFileW,FindClose, | 12_2_008C6406 |
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif | Code function: 12_2_0088C5F3 FindFirstFileExW, | 12_2_0088C5F3 |
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif | Code function: 12_2_008C70FE FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime, | 12_2_008C70FE |
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif | Code function: 12_2_008C705D FindFirstFileW,FindClose, | 12_2_008C705D |
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif | Code function: 12_2_008BD65B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, | 12_2_008BD65B |
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif | Code function: 12_2_008C9DB1 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, | 12_2_008C9DB1 |
Source: C:\Users\user\Desktop\80441fcf.exe | Code function: 0_2_0041B0EF SetUnhandledExceptionFilter, | 0_2_0041B0EF |
Source: C:\Users\user\Desktop\80441fcf.exe | Code function: 0_2_0041B2A5 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, | 0_2_0041B2A5 |
Source: C:\Users\user\Desktop\80441fcf.exe | Code function: 0_2_0041AF8A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, | 0_2_0041AF8A |
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif | Code function: 12_2_008828E2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, | 12_2_008828E2 |
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif | Code function: 12_2_00870B8F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, | 12_2_00870B8F |
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif | Code function: 12_2_00870D25 SetUnhandledExceptionFilter, | 12_2_00870D25 |
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif | Code function: 12_2_00870F71 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, | 12_2_00870F71 |
Source: Apply.pif, 0000000C.00000003.2421668978.0000000004EE7000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: associationokeo.shop |
Source: Apply.pif, 0000000C.00000003.2421668978.0000000004EE7000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: turkeyunlikelyofw.shop |
Source: Apply.pif, 0000000C.00000003.2421668978.0000000004EE7000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: pooreveningfuseor.pw |
Source: Apply.pif, 0000000C.00000003.2421668978.0000000004EE7000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: edurestunningcrackyow.fun |
Source: Apply.pif, 0000000C.00000003.2421668978.0000000004EE7000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: detectordiscusser.shop |
Source: Apply.pif, 0000000C.00000003.2421668978.0000000004EE7000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: problemregardybuiwo.fun |
Source: Apply.pif, 0000000C.00000003.2421668978.0000000004EE7000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: lighterepisodeheighte.fun |
Source: Apply.pif, 0000000C.00000003.2421668978.0000000004EE7000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: technologyenterdo.shop |
Source: Apply.pif, 0000000C.00000003.2421668978.0000000004EE7000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: assumptionflattyou.shop |
Source: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif | Code function: 12_2_0086F64C GetForegroundWindow,FindWindowW,IsIconic,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,ShowWindow, | 12_2_0086F64C |
Source: C:\Users\user\Desktop\80441fcf.exe | Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k move Inventory Inventory.bat & Inventory.bat & exit | Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\SysWOW64\tasklist.exe tasklist | Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe" | Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\SysWOW64\tasklist.exe tasklist | Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa.exe opssvc.exe" | Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 5758 | Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b Cookbook + Increasingly + Rounds + Affordable 5758\Apply.pif | Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b Ink 5758\o | Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Users\user\AppData\Local\Temp\7ZipSfx.000\5758\Apply.pif 5758\Apply.pif 5758\o | Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\SysWOW64\PING.EXE ping -n 5 127.0.0.1 | Jump to behavior |